The SHIELD Act: NY's New Data Protection Requirements Take Effect
In his Health Law column, Francis J. Serbaroli discusses New York's new SHIELD Act, which imposes new data security and data breach reporting requirements on any entity in possession of private information of New York residents regardless of whether the entity is located in New York. The Act also levies higher penalties for non-compliance with its data security and reporting requirements, but does not provide for a private cause of action.
November 25, 2019 at 11:30 AM
10 minute read
Major data breaches that jeopardize the confidential personal, financial and health information of millions of Americans continue to make headlines. Virtually all organizations—including government—that compile and store personal data are vulnerable, as are the contractors, vendors, and others with whom they share such data. Recently, a security breach at a medical collection agency serving hospitals and clinical laboratories compromised the confidential information of between 20-25 million patients, including patients at a major hospital system in New York City. A large upstate health system recently agreed to pay $3 million and take substantial corrective action after personal health information of patients was improperly disclosed as a result of the loss of an unencrypted flash drive and the theft of an unencrypted laptop computer.
Earlier this year, New York's Legislature enacted and Governor Andrew Cuomo signed into law the "Stop Hacks and Improve Electronic Data Security Act," or the "SHIELD" Act. (S.5575B/A.5635) The SHIELD Act adds important new requirements for businesses and organizations—including those throughout the health care sector—to safeguard personal and private information. The Act makes revisions to §899-aa and adds a new §899-bb to the General Business Law (GBL), and amends the State Technology Law.
Expanded Information Protected
The Act significantly expands the types of "private" information that must be protected, and the breaches that must be reported. The Act covers not only "personal information" currently defined in GBL §899-aa(1)(a) as:
any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person … .
but also "private information" which is now defined as either:
(i) personal information in combination with any one or more of the following data elements that were not encrypted, or was encrypted with an encryption key but was accessed or acquired:
- social security number;
- driver's license number or non-driver ID card;
- account number, credit or debit card number in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; or
- biometric information such as a fingerprint, voiceprint, retina or iris image, or other unique physical representation or digital representation of biometric data used to authenticate or ascertain the individual's identity.
(ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account; or
(iii) any unsecured protected health information held by a "covered entity" as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Id. 899-aa(1)(b).
The Act expands the definition of a "breach" to include not only unauthorized acquisition of computerized private information maintained by a business, but also unauthorized "access" to such information (i.e., information that was viewed, communicated with, or altered without valid authorization or by an unauthorized person).
Compliance
The Act mandates the following data security requirement in a new GBL §899-bb(2):
Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.
Rather than setting forth detailed safeguards for personal and private information, the Act states that a business will be deemed to be "in compliance" if:
(i) it is a compliant regulated entity:
- under the federal regulations promulgated pursuant to 15 U.S.C. 6801-6809 (Title V of the Gramm-Leach-Bliley Act);
- under the federal regulations implementing HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH);
- under 23 NYCRR Part 500 ("Cybersecurity Requirements for Financial Services Companies") promulgated by the Department of Financial Services; and
- under any other data security laws and regulations of the federal and New York State governments;
(ii) it implements a data security program having reasonable administrative safeguards, such as:
- designates one or more employees to coordinate the security program;
- identifies reasonably foreseeable internal or external risks;
- assesses the sufficiency of safeguards in place to control the identified risks;
- trains and manages employees in the security program practices and procedures;
- selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- adjusts the security program in light of business or new circumstances.
(iii) it implements a data program that has reasonable technical safeguards such as the following:
- assesses risks in network and software design;
- assesses risks in information processing, transmission, and storage;
- detects, prevents and responds to attacks or system failures; and
- regularly tests and monitors the effectiveness of key controls, systems and procedures.
(iv) it implements a data program that has reasonable physical safeguards such as the following:
- assesses risks of information storage and disposal;
- detects, prevents and responds to intrusions;
- protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. Id. §899-bb(2)(b).
A small business (fewer than 50 employees, less than $3 million in gross annual revenue in each of the last 3 fiscal years, or less than $5 million in year-end total assets) will be deemed in compliance:
if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers. Id. §899-bb(2)(c).
Violations
The Act declares a violation of its data security requirements to be a violation of GBL §349 which makes deceptive acts or practices unlawful. It authorizes the attorney general to bring an action to enjoin violations of the Act, and to obtain civil penalties of $5,000 per violation as set forth in GBL §350-d.
It is important to note that the Act specifically states that its data security requirements create no private right of action for any violations. Id. §899-bb(2)(e).
Reporting and Notification
The Act broadens the definition of "breach of the security of the system" to include not just acquisition but also access to data:
… unauthorized access to or acquisition of, or access to or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business. Id. §899-aa(1)(c).
The Act cites as examples of access:
… indications that the information was viewed, communicated with, used or altered by a person without valid authorization or by an unauthorized person.
Such indications include:
- whether the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device;
- whether the information has been downloaded or copied; or
- whether the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.
The requirement to notify consumers in GBL §899-aa(2) has been amended to include unauthorized access to information, and it removes the previous limitation on the notice requirement to businesses located in New York:
Any person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the integrity of the system.
The Act states that notification is not necessary if the exposure of private information was an "inadvertent disclosure by persons authorized to access private information" and a reasonable determination is made that such exposure will not likely result in misuse of the information, or financial or emotional harm. However, the person or business making such a determination is required to document it in writing and retain it for five years. If the exposure involves more than 500 residents of New York, the determination must be provided to the attorney general within 10 days after the determination is made. Id. §899-aa(2)(a-b).
The Act also states that it does not require notice to consumers if notice is already being given to consumers under other state or federal laws or regulations, such as HIPAA and HITECH. However, notice must still be provided to the attorney general, the Department of State and the state police.
The attorney general remains authorized to bring an action to enjoin and restrain the continuation of any violation of the breach reporting requirements, but the Act doubles the penalty recoverable by the attorney general from $10 to $20 per instance of failed notification, and increases the maximum penalty recoverable to $250,000 from $150,000. The Act also increases the time within which the attorney general may bring an action from two to three years.
Effective Dates
The SHIELD Act's amendments to the breach notification requirements took effect on Oct. 23, 2019. The law gives businesses until March 21, 2020 to comply with the amendments to its data security requirements.
State Agencies
The SHIELD Act also amends the State Technology Law by applying many of the new definitions, data security and breach notification requirements to state government agencies and entities.
Conclusion
The SHIELD Act covers any and all persons or entities that have the private information of New York residents regardless of size or whether they are actually located in New York. It applies to for-profits and not-for-profits. Virtually every health care provider and payor in New York is already required to abide by the HIPAA and HITECH regulations covering security of personal health information, but they must become familiar with the SHIELD Act's provisions and make appropriate revisions to their data security compliance policies and procedures. Vendors and contractors with which private information is shared must also get into compliance with the SHIELD Act's requirements.
Francis J. Serbaroli is a shareholder in Greenberg Traurig and the former vice chair of The New York State Public Health Council.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'So Many Firms' Have Yet to Announce Associate Bonuses, Underlining Big Law's Uneven Approach
5 minute readTik Tok’s ‘Blackout Challenge’ Confronts the Limits of CDA Section 230 Immunity
6 minute readEnemy of the State: Foreign Sovereign Immunity and Criminal Prosecutions after ‘Halkbank’
10 minute readGovernment Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readLaw Firms Mentioned
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250