The full set of amendments to New York’s data breach notification law enacted through the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July 2019 came into effect on March 21, 2020. The law now requires that any person or business that owns or licenses electronic data that contains “private information” of a New York resident have a data security program that includes minimum administrative, technical, and physical requirements to safeguard that information.

Other changes, which went into effect on October 23, 2019, expanded the definition of “private information” covered by the law and changed the threshold of unauthorized access that triggers data breach notification.

The SHIELD Act amendments create a special challenge for HIPAA-covered entities. The law deems such entities compliant by default with respect to electronic protected health information (ePHI); however, because New York data breach law as amended covers data elements linked to non-patients, HIPAA entities must ensure they are also compliant with respect to non-ePHI.

New "Reasonable Security" Requirements

The SHIELD Act’s data security requirements are organized around the same categories as the HIPAA Security Rule, and incorporate many of the same principles, such as implementation of security and risk management processes, workforce training and management, and ensuring the security and integrity of protected information during transmission, transit, destruction, and disposal. They also require that persons or businesses subject to the law enter into contracts with service providers that handle the entity’s covered information, which guarantees the service provider will comply with the required security safeguards.

Unlike HIPAA, however, the SHIELD Act does not require further limitation of the service provider’s use or disclosure of the protected information, or impose independent obligations upon the service provider.

One key difference is that the measures set forth under the SHIELD Act are more flexible than the HIPAA Security Rule requirements—there are fewer elements and no specifically mandated actions. For example, while the HIPAA Security Rule includes standards or specifications for items such as system access control, facility access control, workstation use and security, device and media controls, a workforce sanction program for violations of security policies and procedures, regular information system activity reviews, workforce security, data isolation, internal incident reporting, contingency planning, and periodic program evaluations, the SHIELD Act does not have similar standards or specifications.

Entities that already are subject to, and in compliance with, the data security requirements of HIPAA are deemed in compliance with New York’s new reasonable security requirements. This carve-out could be read to generally relieve a HIPAA-covered entity or business associate from specific compliance with the New York law, but there remains some risk that the New York Attorney General could seek to narrowly interpret the HIPAA exemption as only applying to ePHI, and require compliance with the new reasonable security requirements for private information that is not subject to HIPAA.

Broader Definition of "Private Information" and Applicability

As a result of other changes introduced under the SHIELD Act, New York’s data breach law now broadly applies to healthcare entities—and other entities—nationwide that electronically maintain any covered “private information” of even a single New York resident.

The definition of “private information” was expanded to cover unique biometric information (e.g., an individual’s fingerprint, retina scan, voiceprint, etc.) and any financial account identifier that would provide access to the account. Unsecured usernames and e-mail addresses are now also in scope when in combination with a password or security question and answer that would permit access to the account.

Further, the original law’s requirement that a person or business must conduct business in New York State to be subject to its individual notice provisions was eliminated. Now, individual notice requirements are triggered for owners and licensees of electronic data that include any private information of a New York resident. If a business has no minimum contacts in New York, however, there may remain an argument that the business is not subject to the legislative jurisdiction of New York State.

Expanded Meaning of "Data Breach" and Notification Requirements

The SHIELD Act expanded the definition of data breach beyond unauthorized acquisition to also include unauthorized access to electronic data that compromises the security, confidentiality, or integrity of private information held by an in-scope entity. This fundamentally lowers the threshold for triggering the law’s data breach notification requirements, and brings it closer to the HIPAA breach notification standards, which are also triggered by either impermissible acquisition or access.

New York also changed the breach notification requirements that affect HIPAA-covered entities, which went into effect on October 23, 2019. First, a HIPAA-covered entity that is required to provide notice of a breach under HIPAA or HITECH—even if the breach does not involve “protected information” under New York’s data breach law—must also provide such notification to the New York Attorney General within five business days of notifying the Secretary of HHS. Second, a HIPAA-covered entity is exempted from the data breach law’s notice requirement for affected individuals if notice to those individuals must be provided pursuant to the breach notification requirements of HIPAA.

Impacts and Implications for Healthcare Entities

As a whole, the SHIELD Act reflects a growing trend among state data privacy and cybersecurity laws to expand both the scope of information covered and the circumstances under which businesses must disclose data breaches. Healthcare entities in particular may need to consider extending their HIPAA Security Rule framework to also cover protected “private information” that is not already regulated as ePHI, in order to reduce potential exposure under New York’s breach law should a security event occur.