By Stacey Lipitz Marder, Esq.

As per New York’s Stop Hacks and Improve Electric Data Security (“SHIELD”) Act, which was signed into law on July 25, 2019, significant amendments have been made to the existing New York State Information Security Breach and Notification Act (“NY Breach and Notification Act”). This law governs notification and reporting obligations in the event of a breach involving “private information”, including those in the health care sector.  The new rules governing breach notifications went into effect October 23, 2019, while the data security requirements go into effect March 21, 2020.

Specifically, the NY Breach and Notification Act now applies to any person or business that owns or licenses private information of a New York resident regardless of whether the entity is located in New York. The SHIELD Act also broadens the definition of “private information” to include a driver’s license number, biometric information, username/email address in combination with a password or security questions and answers, and credit/debit card numbers (even without a password).

Under the SHIELD Act, a “breach” now includes unauthorized “access” of computerized data that compromises the security, confidentiality or integrity of “private information” rather than the unauthorized acquisition of computerized data as per the previous NY Breach and Notification Act.  However, entities may not have to go forward with notification/reporting obligations if they can document that a potential breach was an inadvertent disclosure unlikely to result in the misuse of information.

Although under the SHIELD Act consumers are not required to be notified in the event of a breach if notice is already being given under other state or federal rules or regulations, including for instance under HIPAA or HITECH, notice of a breach must still be provided to the Attorney General, the Department of State and the State Police as applicable.

To the extent entities are not already subject to information security laws, including for instance HIPAA and the Gramm-Leach-Bliley Act, such entities will be required to implement information security programs.

The SHIELD Act also doubles the penalty that can be recovered by the Attorney General from $10 to $20 per failed notification and increases the maximum penalty from $100,000 to $250,000.

In light of the SHIELD Act and New York’s strengthening of its enforcement of consumer privacy and data protection, entities in possession of electronic data involving New York residents, including health care providers, need to ensure that their security programs, including HIPAA compliance programs, are up to date and compliant.  To the extent an entity has an existing HIPAA compliance program, such program will have to be updated to incorporate the changes regarding breach notification in compliance with the SHIELD Act.  For entities that do not have HIPAA compliance programs, these entities will also need to develop administrative, technical and physical safeguards in order to comply.

Should you have any questions regarding the SHIELD Act please contact Stacey Marder at 516-926-3319 or SMarder@weisszarett.com.

About the Author:

Stacey Lipitz Marder is senior counsel at Weiss Zarett Brofman Sonnenklar & Levy, PC with experience representing healthcare providers in connection with transactional and regulatory matters including the formation and structure of business entities, negotiating and drafting contracts and commercial real estate leases, stock and asset acquisitions and general corporate counseling. Ms. Marder also has experience advising healthcare clients on a wide range of regulatory issues including Stark, the Anti-Kickback Statute, fraud and abuse regulations, HIPAA, reimbursement and licensing matters.

Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a Long Island law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors' rights, and commercial real estate transactions.

ATTORNEY ADVERTISING: PRIOR RESULTS DO NOT GUARANTEE FUTURE OUTCOMES.