NY AG Introduces SHIELD Act to Improve Security of PHI

by | Nov 9, 2017

Attorney General Eric T. Schneiderman has introduced the ‘Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)’ into the legislature in New York.it is hoped that Act will  protect New Yorkers from unnecessary breaches of their personal data and to ensure they are alerted when such breaches happen.

The program bill, championed by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is hoped to enhance security for citizens of New York without placing an unnecessary burden or expense on businesses.

The passing in law of the SHIELD Act comes just weeks after the announcement of the Equifax data breach which affected more than 8 million New Yorkers. In 2016, more than 1,300 data violation were experienced according to report to the New York attorney general’s office – a 60% increase in violations from the previous year.

Attorney General Schneiderman said that New York’s data security legislation were are “weak and outdated” and require an urgent refresh. While federal laws require some groups to implement data security controls, in New York, there are no obligations for businesses to put in place safeguards to secure the personal identifying information of New Yorkers if the data does not involve a Social Security number.

The SHIELD Act necessitates that all businesses, regardless of where they are based, to adopt reasonable administrative, physical, and technical security measures if they hold the sensitive data of New Yorkers. The laws will also apply if bodies do not do business in the state of New York.

While many states have brought in data breach notification laws that require individuals impacted by breaches of information such as username/password combos and biometric data to be alerted of the incidents, in New York, there are no such obligations. The Shield Act will alter that and bring state laws in line with many other U.S. states.

Breach notification requirements will be refreshed to include breaches of username/password combos, biometric data, and protected health data covered by HIPAA laws. Breach notifications will be necessary if unauthorized individuals are found to have gained access to personal information as well as in instances of data theft.

Attorney General Schneiderman is asking businesses to go above and beyond the requirements of the SHIELD Act and receive independent certification of their security measures to ensure they exceed the minimum required standards.

A flexible standard is being brought in for small businesses to ease the expense of regulatory burden. Safeguards can be required to the organization’s size for businesses employing fewer than 50 workers if gross revenue is under $3 million or they have less than $5 million in assets.

HIPAA-covered groups, organizations compliant with the Gramm-Leach-Bliley, and NYS DFS legislATION will be deemed to already be in compliance with the data security requirements of the SHIELD Act.

Not complying with the provisions of the SHIELD Act will be ruled to be a violation of General Business Law (GBL § 349) and will permit the state attorney general to being a suit and seek civil sanctions under GBL § 350(d).

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy