On July 25, 2019 the Governor of New York signed into law the “Stop Hacks and Improve Electronic Data Security Act” (SHIELD ACT). Reporting requirements go into effect October 23, 2019, with security requirements effective March 21, 2020. This Act amends New York’s existing data breach notification law by expanding the definition of “Private Information” and by adding “Data Breach Security Protections” similar to those of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. It is important that healthcare organizations that own or license any computerized information of New York residents are aware of this Act as they may need to add additional cybersecurity safeguards and will have new reporting requirements in the event of a breach.
There are a number of definitions that are important to know in order to understand an organization’s obligations under the SHIELD Act. First, Personal Information is defined by the Act as:
any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.
Next, Private Information is defined as:
(I) personal information consisting of any information in combination with any one or more of the following data elements, when either the DATA ELEMENT OR THE COMBINATION OF personal information [or] PLUS the data element is not encrypted, or IS encrypted with an encryption key that has also been ACCESSED OR acquired:
(1) social security number;
(2) driver’s license number or non-driver identification card number; [or]
(3) account number, credit or debit card number, in combination with any required security code, access code, [or] password OR OTHER INFORMATION that would permit access to an individual’s financial account;
(4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
5) biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; or
(II) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Finally, breach of the security of a system is defined under the Act as:
Unauthorized ACCESS TO or ACQUISITION OF, or ACCESS TO or ACQUISITION OF without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of [personal] PRIVATE information maintained by a business. Good faith ACCESS TO or ACQUISITION OF [personal] PRIVATE information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.
Whenever there is a breach of private information as defined under the SHIELD Act involving the private information of a New York resident, the organization suffering the breach is required to report the breach to the affected New York state residents according to the Act and provide notification to the State Attorney General, the New York Department of State and the New York State Police. Important for healthcare organizations is that even though medical treatment and health insurance information is not included in the definition of Private Information, if a breach at a healthcare organization includes Private Information, as defined under this act, it must be reported as set forth above.
If a healthcare organization suffers a breach that requires it to provide notification to affected individuals under HIPAA and also under the SHIELD Act, in a case where the breach includes Private Information under the SHIELD Act and Electronic Protected Health Information as defined under HIPAA, it is sufficient to provide affected New York residents only the notice required under HIPAA, provided notice is also given to the State Attorney General, the New York Department of State and the New York Office of Information Technology Services. If a healthcare organization suffers a breach that is reportable to the Secretary of Health and Human Services (HHS) under HIPAA, regardless if it is a reportable breach of Private Information under the SHIELD Act, it must report it to the Attorney General of New York within five days of the report to HHS. The SHIELD Act also includes new requirements for “Data Breach Security Protections” similar to the HIPAA Security Rule, including reasonable safeguards to protect the security, confidentiality and integrity of Private Information. Specifically, to be in compliance an organization either:
(i) is a compliant regulated entity as defined in subdivision one of this section; or(ii) implements a data security program that includes the following:(a) reasonable administrative safeguards such as the following, in which the person or business:(1) designates one or more employees to coordinate the security program;(2) identifies reasonably foreseeable internal and external risks;(3) assesses the sufficiency of safeguards in place to control the identified risks;(4) trains and manages employees in the security program practices and procedures;(5) selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and(6) adjusts the security program in light of business changes or new circumstances; and (b) reasonable technical safeguards such as the following, in which the person or business:(1) assesses risks in network and software design;(2) assesses risks in information processing, transmission and storage;(3) detects, prevents and responds to attacks or system failures; and(4) regularly tests and monitors the effectiveness of key controls, systems and procedures; and(c) reasonable physical safeguards such as the following, in which the person or business:(1) assesses risks of information storage and disposal;(2) detects, prevents and responds to intrusions;(3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and(4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Fortunately for healthcare organizations, if they are covered by and complying with the HIPAA Security Rule they are considered a “compliant regulated entity” under (i) above. Also, similar to the HIPAA Enforcement Rule, smaller organizations are given more leeway in deploying safeguards.
The State Attorney General may bring an action for violations of the SHIELD Act on behalf of residents of New York affected by a violation. If the Court determines that there was a violation of the data breach notification requirements and that it was not reckless or knowing, the court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For knowing and reckless violations, the court may impose penalties of the greater of $5,000 or up to $20 per instance with a cap of $250,000. For reasonable safeguard requirement violations, the court may impose penalties of not more than $5,000 per violation. There is no private right of action under the law.
Based on the above, we advise healthcare organizations who own or license information of New York residents to include in the scope of their risk analysis those systems used to create, receive, maintain or transmit Private information as defined within the SHIELD Act. We also recommend they update their breach notification procedures to include providing the notifications under this Act as required.
If you have questions about the SHIELD Act and its implications for your organization or need assistance reviewing procedures or conducting a thorough risk analysis, please contact Clearwater at email@example.com.