Update to the SHIELD Act
In our December 2017 issue of Health Law Pointers, we informed you that the New York State attorney general introduced introduced a proposal for new legislation titled the “Stop Hacks and Improve Electronic Data Security Act” (the “SHIELD Act”). At the time of our December 2017 edition, the legislation was merely introduced and had many steps to overcome before becoming a law in New York State.
Recently, the New York legislature passed the SHIELD Act and is currently awaiting the Governor’s signature. There is strong speculation that the Governor will sign the SHIELD Act into law. Given the likelihood of the Governor’s signature, we wish to remind you of some of the important changes the SHIELD Act will have on New York law.
The SHIELD Act will expand notification requirements for all businesses that maintain or license data containing New York residents’ private information regardless of whether the entity is physically located in New York. Further, the SHIELD Act expands the type of information considered “private information” under New York Law. Under the SHIELD Act, “private information” subject to mandatory reporting will now include: (1) financial account numbers, (2) biometric data, (3) protected health information under HIPAA, and (4) username or email address in combination with a password or security question. Further, the SHIELD Act expands a “data breach” of "private information" from mere acquisition to include the “unauthorized access” to resident’s private information. Moreover, the SHIELD Act establishes obligations for entities to establish "reasonable security safeguards" to protect the security, confidentiality and integrity of private information.
We will continue to monitor this legislation and further update you as more information is made available. In the meantime, Hurwitz & Fine, P.C.’s attorneys are available to analyze and discuss with you the effect of this legislation on your business, professional practices and your security safeguards.