HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New York Governor Signs SHIELD Act into Law

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act has been signed into state law by New York Governor Andrew M. Cuomo. The Act improves privacy protections for state residents and strengthens New York’s data breach notification laws to ensure they maintain pace with current technology.

The SHIELD Act – S5575B/A5635B – was signed into law on July 25, 2019 and takes effect in 240 days. The Act makes several changes to existing state privacy and data breach notification laws:

The definition of covered entities has been broadened to include any person or entity that holds the private information of a New York State resident, irrespective of whether that person or entity does business in New York State.

All businesses must “develop, implement and maintain reasonable safeguards” to ensure the confidentiality, integrity, and availability of personal information. Those measures should reflect the size of the business. The SHIELD Act includes a list of factors considered to be ‘reasonable security protections’.

Please see the HIPAA Journal Privacy Policy

A written information security program must be developed which incorporates all SHIELD Act requirements. The responsibility for implementing and administrating the program must be assigned to an individual, who must also oversee employee receive training on SHIELD Act requirements.

The definition of a data breach has been expanded to include any unauthorized accessing of private information. Previously, notifications were only required when personal information had been acquired by an unauthorized individual.

The definition of a personal information has been expanded to include email addresses and usernames along with the associated password or security question answers that would allow the account to be accessed. The new law requires notifications to be issued if a financial account number is exposed along with any method of gaining access to the account. Biometric information is also now included in the definition of personal information warranting notifications.

As is the case with HIPAA, inadvertent and good faith disclosures of personal information are exempt from notifications provided there is little risk of harm.

Organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act, and financial service providers covered by the New York Department of Financial Services Cybersecurity Rule are given a safe harbor if they are in compliance with their respective regulations.

There is no change to the time scale for issuing notifications. They must be sent “in the most expedient time possible and without unreasonable delay.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.