Francis J. Serbaroli Francis J. Serbaroli

Major data breaches that jeopardize the confidential personal, financial and health information of millions of Americans continue to make headlines. Virtually all organizations—including government—that compile and store personal data are vulnerable, as are the contractors, vendors, and others with whom they share such data. Recently, a security breach at a medical collection agency serving hospitals and clinical laboratories compromised the confidential information of between 20-25 million patients, including patients at a major hospital system in New York City. A large upstate health system recently agreed to pay $3 million and take substantial corrective action after personal health information of patients was improperly disclosed as a result of the loss of an unencrypted flash drive and the theft of an unencrypted laptop computer.

Earlier this year, New York's Legislature enacted and Governor Andrew Cuomo signed into law the "Stop Hacks and Improve Electronic Data Security Act," or the "SHIELD" Act. (S.5575B/A.5635) The SHIELD Act adds important new requirements for businesses and organizations—including those throughout the health care sector—to safeguard personal and private information. The Act makes revisions to §899-aa and adds a new §899-bb to the General Business Law (GBL), and amends the State Technology Law.

Expanded Information Protected

The Act significantly expands the types of "private" information that must be protected, and the breaches that must be reported. The Act covers not only "personal information" currently defined in GBL §899-aa(1)(a) as:

any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person … .

but also "private information" which is now defined as either:

(i) personal information in combination with any one or more of the following data elements that were not encrypted, or was encrypted with an encryption key but was accessed or acquired:

- social security number;

- driver's license number or non-driver ID card;

- account number, credit or debit card number in combination with any required security code, access code, password or other information that would permit access to an individual's financial account; or

- biometric information such as a fingerprint, voiceprint, retina or iris image, or other unique physical representation or digital representation of biometric data used to authenticate or ascertain the individual's identity.

(ii) a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account; or

(iii) any unsecured protected health information held by a "covered entity" as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Id. 899-aa(1)(b).

The Act expands the definition of a "breach" to include not only unauthorized acquisition of computerized private information maintained by a business, but also unauthorized "access" to such information (i.e., information that was viewed, communicated with, or altered without valid authorization or by an unauthorized person).

Compliance

The Act mandates the following data security requirement in a new GBL §899-bb(2):

Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.

Rather than setting forth detailed safeguards for personal and private information, the Act states that a business will be deemed to be "in compliance" if:

(i) it is a compliant regulated entity:

- under the federal regulations promulgated pursuant to 15 U.S.C. 6801-6809 (Title V of the Gramm-Leach-Bliley Act);

- under the federal regulations implementing HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH);

- under 23 NYCRR Part 500 ("Cybersecurity Requirements for Financial Services Companies") promulgated by the Department of Financial Services; and

- under any other data security laws and regulations of the federal and New York State governments;

(ii) it implements a data security program having reasonable administrative safeguards, such as:

- designates one or more employees to coordinate the security program;

- identifies reasonably foreseeable internal or external risks;

- assesses the sufficiency of safeguards in place to control the identified risks;

- trains and manages employees in the security program practices and procedures;

- selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and

- adjusts the security program in light of business or new circumstances.

(iii) it implements a data program that has reasonable technical safeguards such as the following:

- assesses risks in network and software design;

- assesses risks in information processing, transmission, and storage;

- detects, prevents and responds to attacks or system failures; and

- regularly tests and monitors the effectiveness of key controls, systems and procedures.

(iv) it implements a data program that has reasonable physical safeguards such as the following:

- assesses risks of information storage and disposal;

- detects, prevents and responds to intrusions;

- protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and

- disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed. Id. §899-bb(2)(b).

A small business (fewer than 50 employees, less than $3 million in gross annual revenue in each of the last 3 fiscal years, or less than $5 million in year-end total assets) will be deemed in compliance:

if the small business's security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers. Id. §899-bb(2)(c).

Violations

The Act declares a violation of its data security requirements to be a violation of GBL §349 which makes deceptive acts or practices unlawful. It authorizes the attorney general to bring an action to enjoin violations of the Act, and to obtain civil penalties of $5,000 per violation as set forth in GBL §350-d.

It is important to note that the Act specifically states that its data security requirements create no private right of action for any violations. Id. §899-bb(2)(e).

Reporting and Notification

The Act broadens the definition of "breach of the security of the system" to include not just acquisition but also access to data:

… unauthorized access to or acquisition of, or access to or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business. Id. §899-aa(1)(c).

The Act cites as examples of access:

… indications that the information was viewed, communicated with, used or altered by a person without valid authorization or by an unauthorized person.

Such indications include:

- whether the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device;

- whether the information has been downloaded or copied; or

- whether the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported.

The requirement to notify consumers in GBL §899-aa(2) has been amended to include unauthorized access to information, and it removes the previous limitation on the notice requirement to businesses located in New York:

Any person or business which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the integrity of the system.

The Act states that notification is not necessary if the exposure of private information was an "inadvertent disclosure by persons authorized to access private information" and a reasonable determination is made that such exposure will not likely result in misuse of the information, or financial or emotional harm. However, the person or business making such a determination is required to document it in writing and retain it for five years. If the exposure involves more than 500 residents of New York, the determination must be provided to the attorney general within 10 days after the determination is made. Id. §899-aa(2)(a-b).

The Act also states that it does not require notice to consumers if notice is already being given to consumers under other state or federal laws or regulations, such as HIPAA and HITECH. However, notice must still be provided to the attorney general, the Department of State and the state police.

The attorney general remains authorized to bring an action to enjoin and restrain the continuation of any violation of the breach reporting requirements, but the Act doubles the penalty recoverable by the attorney general from $10 to $20 per instance of failed notification, and increases the maximum penalty recoverable to $250,000 from $150,000. The Act also increases the time within which the attorney general may bring an action from two to three years.

Effective Dates

The SHIELD Act's amendments to the breach notification requirements took effect on Oct. 23, 2019. The law gives businesses until March 21, 2020 to comply with the amendments to its data security requirements.

State Agencies

The SHIELD Act also amends the State Technology Law by applying many of the new definitions, data security and breach notification requirements to state government agencies and entities.

Conclusion

The SHIELD Act covers any and all persons or entities that have the private information of New York residents regardless of size or whether they are actually located in New York. It applies to for-profits and not-for-profits. Virtually every health care provider and payor in New York is already required to abide by the HIPAA and HITECH regulations covering security of personal health information, but they must become familiar with the SHIELD Act's provisions and make appropriate revisions to their data security compliance policies and procedures. Vendors and contractors with which private information is shared must also get into compliance with the SHIELD Act's requirements.

Francis J. Serbaroli is a shareholder in Greenberg Traurig and the former vice chair of The New York State Public Health Council.