NY AG Introduces SHIELD Act to Improve Security of PHI

Attorney General Eric T. Schneiderman has introduced the ‘Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)’ into the legislature in New York.it is hoped that Act will  protect New Yorkers from unnecessary breaches of their personal data and to ensure they are alerted when such breaches happen.

The program bill, championed by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is hoped to enhance security for citizens of New York without placing an unnecessary burden or expense on businesses.

The passing in law of the SHIELD Act comes just weeks after the announcement of the Equifax data breach which affected more than 8 million New Yorkers. In 2016, more than 1,300 data violation were experienced according to report to the New York attorney general’s office – a 60% increase in violations from the previous year.

Attorney General Schneiderman said that New York’s data security legislation were are “weak and outdated” and require an urgent refresh. While federal laws require some groups to implement data security controls, in New York, there are no obligations for businesses to put in place safeguards to secure the personal identifying information of New Yorkers if the data does not involve a Social Security number.

The SHIELD Act necessitates that all businesses, regardless of where they are based, to adopt reasonable administrative, physical, and technical security measures if they hold the sensitive data of New Yorkers. The laws will also apply if bodies do not do business in the state of New York.

While many states have brought in data breach notification laws that require individuals impacted by breaches of information such as username/password combos and biometric data to be alerted of the incidents, in New York, there are no such obligations. The Shield Act will alter that and bring state laws in line with many other U.S. states.

Breach notification requirements will be refreshed to include breaches of username/password combos, biometric data, and protected health data covered by HIPAA laws. Breach notifications will be necessary if unauthorized individuals are found to have gained access to personal information as well as in instances of data theft.

Attorney General Schneiderman is asking businesses to go above and beyond the requirements of the SHIELD Act and receive independent certification of their security measures to ensure they exceed the minimum required standards.

A flexible standard is being brought in for small businesses to ease the expense of regulatory burden. Safeguards can be required to the organization’s size for businesses employing fewer than 50 workers if gross revenue is under $3 million or they have less than $5 million in assets.

HIPAA-covered groups, organizations compliant with the Gramm-Leach-Bliley, and NYS DFS legislATION will be deemed to already be in compliance with the data security requirements of the SHIELD Act.

Not complying with the provisions of the SHIELD Act will be ruled to be a violation of General Business Law (GBL § 349) and will permit the state attorney general to being a suit and seek civil sanctions under GBL § 350(d).