By Stacey Lipitz Marder, Esq.Email the Author
As per New York’s Stop Hacks and
Improve Electric Data Security (“SHIELD”) Act, which was signed into law on
July 25, 2019, significant amendments have been made to the existing New York State
Information Security Breach and Notification Act (“NY Breach and Notification
Act”). This law governs notification and reporting obligations in the event of
a breach involving “private information”, including those in the health care
sector. The new rules governing breach
notifications went into effect October 23, 2019, while the data security
requirements go into effect March 21, 2020.
the NY Breach and Notification Act now applies to any person or business that
owns or licenses private information of a New York resident regardless of whether the entity is located
in New York. The SHIELD Act also broadens the definition of “private
information” to include a driver’s license number, biometric information,
username/email address in combination with a password or security questions and
answers, and credit/debit card numbers (even without a password).
Under the SHIELD Act, a “breach” now
includes unauthorized “access” of computerized data that compromises the
security, confidentiality or integrity of “private information” rather than the
unauthorized acquisition of computerized data as per the previous NY Breach and
Notification Act. However, entities may
not have to go forward with notification/reporting obligations if they can
document that a potential breach was an inadvertent disclosure unlikely to
result in the misuse of information.
Although under the SHIELD Act
consumers are not required to be notified in the event of a breach if notice is
already being given under other state or federal rules or regulations,
including for instance under HIPAA or HITECH, notice of a breach must still be
provided to the Attorney General, the Department of State and the State Police
To the extent entities are not
already subject to information security laws, including for instance HIPAA and
the Gramm-Leach-Bliley Act, such entities will be required to implement
information security programs.
The SHIELD Act also doubles the
penalty that can be recovered by the Attorney General from $10 to $20 per
failed notification and increases the maximum penalty from $100,000 to
In light of the SHIELD Act and New
York’s strengthening of its enforcement of consumer privacy and data
protection, entities in possession of electronic data involving New York
residents, including health care providers, need to ensure that their security
programs, including HIPAA compliance programs, are up to date and
compliant. To the extent an entity has
an existing HIPAA compliance program, such program will have to be updated to
incorporate the changes regarding breach notification in compliance with the
SHIELD Act. For entities that do not
have HIPAA compliance programs, these entities will also need to develop administrative,
technical and physical safeguards in order to comply.
About the Author:
Stacey Lipitz Marder is senior
counsel at Weiss Zarett Brofman Sonnenklar & Levy, PC with experience
representing healthcare providers in connection with transactional and
regulatory matters including the formation and structure of business entities,
negotiating and drafting contracts and commercial real estate leases, stock and
asset acquisitions and general corporate counseling. Ms. Marder also has
experience advising healthcare clients on a wide range of regulatory issues
including Stark, the Anti-Kickback Statute, fraud and abuse regulations, HIPAA,
reimbursement and licensing matters.
Weiss Zarett Brofman Sonnenklar
& Levy, P.C. is a Long Island law firm providing a wide array of legal
services to the members of the health care industry, including corporate and transactional
matters, civil and administrative litigation, healthcare regulatory issues,
bankruptcy and creditors’ rights, and commercial real estate transactions.
ATTORNEY ADVERTISING: PRIOR RESULTS
DO NOT GUARANTEE FUTURE OUTCOMES.