Data Breach Notification Requirements

The New York SHIELD Act and HIPAA both contain data breach notification requirements. 

The SHIELD Act’s provisions apply to any person or business – whether conducting business in New York or not – that owns or licenses computerized data containing private information of a New York resident. 

The NY SHIELD Act contains three key terms that are necessary to understand the revised data breach notification requirements. These three terms are:

• Personal information
• Private information
• Data elements

Term 1: Personal information

Personal information is defined as any information concerning a person which, because of name, number, personal mark, or other identifier, can be used to identify that person.

Term 2: Private information

Private information consists of:

• Personal information, that
• Consists of any information in combination with one more data elements, WHEN
  • Either the data element, or the combination of personal information plus the data element, is not encrypted; or
  • When the data element, or the combination of personal information plus the data element, is encrypted with an encryption key that has been accessed or acquired. 

Term 3: Data elements

Under current New York law, data elements consist of the following: 

• Social Security numbers
• Driver’s license numbers
• Non-driver identification card numbers;
• Bank account numbers, credit card numbers, and debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The NY SHIELD Act strengthens existing New York state law breach notification requirements by:

• Modifying the contents of the “bank account number, credit card number, and debit card number” data element. Under the SHIELD Act, that data element now is comprised of an “account number, credit or debit card number, if circumstances exist such that the number can be used to access a person’s financial account without additional identifying information, security code, access code, or password.”
• Adding two types of data elements to which the New York data breach notification law applies. These two types of information are:
  • Biometric information, which is defined as data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, or retina or iris image; and
  • A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
  • Expanding the definition of a “breach” to include unauthorized access to private information. Previously, a “breach” was defined as unauthorized acquisition of personal information. A breach is now defined as:
    • Unauthorized access to or acquisition of, or access to or acquisition,
    • Without valid authorization,
    • Of computerized data,
    • That compromises the security, confidentiality, or integrity
    • Of private information maintained by a business.

What is a NY SHIELD Act Breach?

Under the SHIELD Act, a breach of the system is:

• An unauthorized access to or acquisition of, or access to or acquisition,
• Without valid authorization,
• Of computerized data,
• That compromises the security, confidentiality, or integrity of private information maintained by a business. 

If a person or business commits a SHIELD Act breach, that person or business must comply with SHIELD Act notification requirements, which are explained below.

How Do HIPAA Breach Notification Requirements Interact with SHIELD Law Requirements?

When HIPAA requires notification of a breach to the Secretary of Health and Human Services and to affected individuals, the breaching entity, under the SHIELD law, must also notify the New York State Attorney General of the breach – within 5 business days of notifying HHS. In other words, in this circumstance, the New York SHIELD Act AND HIPAA both require HHS be notified.  However, in this situation, the SHIELD law does not require that affected individuals be notified. This is because HIPAA already imposes that requirement. 

Can Notification be Required under HIPAA and NOT the SHIELD Act?

Yes. This is so because the NY SHIELD Act and HIPAA do not contain the same number of data elements that can be the subject of a breach,.

The HIPAA Breach Definition

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals; HHS; and, in some cases, the media of a breach of unsecured PHI. Generally, a breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. PHI, under HIPAA, can consist of one or more of 18 data elements.

The New York SHIELD Act and HIPAA dramatically differ as to the number of data elements. The SHIELD Act contains a much smaller class of data elements – that is, a number of pieces of information considered to be “data elements” under HIPAA, are NOT considered to be data elements under the SHIELD Act. 

One such data element is an IP address. An IP address is considered to be a data element under HIPAA, but not under the SHIELD Act. Therefore, if a breach occurs with respect to that IP address, the breach has occurred under HIPAA, but not under the SHIELD Act, meaning only the HIPAA breach notification requirements, and NOT the SHIELD Act breach notification requirements, are triggered.

What Information Must be Contained in a SHIELD Act Data Breach Notice?

The New York SHIELD Act and HIPAA both require that certain information be contained in a breach notice.

The SHIELD Act breach disclosure provisions apply to any person or business that owns or licenses computerized data that includes private information of a New York resident.

These entities must disclose security breaches following discovery or notification of the breach in the security of the system, to any resident of New York state whose private information was, or is reasonably believed to have been, accessed or acquired by a person without valid authorization.

Under current New York law, a data breach notice to affected individuals must contain the contact information for the person or business making the notification. The SHIELD Act modifies this requirement by imposing additional contact information requirements.

Under the SHIELD Act, the notice must include not only contact information for the person or business making the notification, but must also include the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information. 

Breach Notification Requirements in General

In the event that any New York residents are to be notified, the person or business must notify the New York State Attorney General, the department of state, and the division of state police as to the timing, content and distribution of the notices and approximate number of affected people, and must provide a copy of the template of the notice sent to affected individuals. Such notice must be made without delaying notice to affected New York residents.

“Large Breach” Notification Requirements

In the event that more than five thousand New York residents are to be notified at one time, the person or business must also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected individuals. Such notice must be made without delaying notice to affected New York residents.  

The SHIELD Act data breach provisions discussed above, become effective on October 23, 2019.

NY SHIELD Act Data Security Provisions

The SHIELD Act, in addition to amending New York’s data breach notification law, also adds new data security protections to New York law. These data security protections become effective on March 21, 2020.

The New York SHIELD Act and HIPAA both require that cybersecurity measures be taken to prevent data breaches. The SHIELD Act mandates that persons or entities that own or license computerized data containing the private information of a New York resident, implement a  “reasonable security requirement.”

Notably, organizations that are covered by and already in compliance with the HIPAA Privacy and Security Rules, are deemed to be automatically in compliance with the SHIELD Act data security requirements. 

Persons or entities that own or license computerized data containing the private information of a New York resident, who are NOT already compliant with HIPAA, may become compliant with the SHIELD Act data security protections by developing, implementing, and maintaining reasonable safeguards to protect the security, confidentiality, and integrity of that private information including, but not limited to, disposal of data. 

These safeguards must be implemented through a SHIELD Act-mandated “data security” program that includes reasonable administrative, technical, and physical safeguards.

• Reasonable administrative safeguards are safeguards such as the following, in which the person or business:  
  • Designates one or more employees to coordinate the security program, 
  • Identifies reasonably foreseeable risks (external and internal); 
  • Assesses existing safeguards; conducts workforce cybersecurity training; and 
  • Both selects service providers that can maintain appropriate safeguards AND requires those safeguards by contract.
• Reasonable technical safeguards are safeguards such as the following, in which the person or business:
  • Assesses risks in network and software design; 
  • Assesses risks in information processing, transmission, and storage; 
  • Detects, prevents, and responds to attacks or system failures; and
  • Regularly tests and monitors the effectiveness of key controls, systems, and procedures.
• Reasonable physical safeguards are safeguards such as the following, in which the person or business: 
  • Assesses risks of information storage disposal; 
  • Detects, prevents, and responds to intrusions; 
  • Protects against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information; and
  • Disposes of private information within a reasonable amount of time after it is no longer needed for business purposes, by erasing electronic media so that the information cannot be read or reconstructed.

Small businesses are deemed to be in compliance with the SHIELD Act data security requirements if their security programs contain reasonable administrative, technical and physical safeguards that are appropriate for:

• Their size and complexity
• The nature and scope of their activities; and 
• The sensitivity of the personal information they collect from or about consumers,

Legal experts believe that these data security requirements may be more stringent than those imposed under the HIPAA Security Rule. How stringent the requirements end up actually being, will depend on how and when the New York State Attorney General interprets and enforces them in the years ahead.

Companies that own or license private information of a New York resident – whether they conduct business in New York or not – should integrate required components of both the New York SHIELD Act AND HIPAA, into their overall compliance program. 

Compliancy Group Simplifies HIPAA Compliance

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give health care organizations everything they need to address the full extent of the HIPAA regulations.

Our ongoing support and web-based compliance app, The Guard™ software, gives healthcare organizations the tools to address the law so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM their HIPAA compliance!