New York State has enacted a law that expands the definition of “private information” and adding new data breach security protections.
New York Gov. Andrew Cuomo recently signed the law to amend the state’s existing data breach notification law—the new security protections are similar to those contained in the HIPAA security rule.
Under the new law, known as the SHIELD ACT, healthcare organizations that own or license any computerized information of New York residents may need to add additional cybersecurity safeguards, and healthcare providers further will have new reporting requirements to the state in the event of a data breach—that’s in addition to federal requirements to report breaches to the Department of Health and Human Services.
There are a number of new definitions that govern provider obligations under the SHIELD ACT.
For example, personal information has a new definition: “Any information concerning a natural person which, because of name, number, personal mark or other identifier, can be used to identify such natural person.”
Private information has a new definition: “Private information is defined as personal information consisting of any information in combination with any one or more of the following data elements when either the data element or the combination of personal information, plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired.”
According to the law, private information includes the following:
- Social Security numbers; driver’s license numbers or non-driver identification card numbers.
- Account numbers, credit or debit card numbers, in combination with any required security code, access code or password, or other information that would permit access to an individual’s financial account.
- Account numbers, credit or debit card numbers, if circumstances exist under which such numbers could be used to access an individual’s financial account without additional identifying information, security code, access code, password.
- Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics such as a fingerprint, voice print, retina or iris image, other unique physical representation or digital representation of biometric data that are used to authenticate or ascertain the individual’s identity.
- A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
Next, a breach of the security of a system is defined under the Act as unauthorized access to or acquisition of, or access to or acquisition of without valid authorization, of computerized data that compromises the security, confidentiality or integrity of private information maintained by a business. Good faith access to acquisition of private information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.
Under the SHIELD ACT, if a healthcare organization suffers a breach that requires notification to affected individuals under HIPAA, it is sufficient to provide affected New York residents only the notice required under HIPAA, provided notice also is given to the State Attorney General, the New York Department of State, and the New York Office of Information Technology Services.
If a healthcare organization suffers a breach that is reportable to the Secretary of Health and Human Services under HIPAA, regardless if it is a reportable breach of private information under the SHIELD Act, it must report it to the Attorney General of New York within five days of the report to HHS.
Further, the SHIELD Act includes new requirements for data breach security protections similar to the HIPAA Security rule, including reasonable safeguards to protect the security, confidentiality and integrity of private information.
This includes designated employees to coordinate the security program, identifying reasonably foreseeable internal and external risks, assessing the sufficiency of safeguards in place to control identified risks, training and managing employees of security program practices and procedures, selecting vendors capable of maintaining appropriate safeguards, and adjusting the security program in light of business changes or new circumstances.
Other provisions of the SHIELD Act dictate additional processes and safeguards when reporting a data breach.
“If a healthcare organization suffers a breach that requires it to provide notification to affected individuals under HIPAA and also under the SHIELD ACT, in a case where the breach includes Private Information as defined under HIPAA, it is sufficient to provide affected New York residents only the notice required under HIPAA, provided notice is also given to the State Attorney General, New York Department of State, and the New York Office of Information Technology Services.
“If a healthcare organization suffers a breach that is reportable to the Secretary of Health and Human Services under HIPAA, regardless if it is a reportable breach of Private Information under the SHIELD ACT, it must report it to the Attorney General of New York within five days of the report to HHS.”