Three Key Changes to Breach Notification Law
The New York General Business Law § 899-aa, also known as, the New York Stop Hacks and Improve Data Security Act (“SHIELD Act”), was amended in three key aspects: (1) a new 30-day breach notification timeframe, (2) a new notice requirement for New York Department of Financial Services (“DFS”) regulated entities, and (3) an amended definition of “Private Information.”
The SHIELD Act requires persons and businesses that own or license data containing Private Information to notify affected New York residents, certain state regulators, and consumer reporting agencies following a security “breach” of that information. The recent amendment now sets forth an explicit 30-day notification timeline, instead of the previous requirement to notify “in the most expedient time possible and without unreasonable delay.” The recent amendment to the SHIELD Act also introduces a new requirement for DFS-regulated entities that experience a breach to notify DFS, the New York State attorney general, the New York Department of State and the state police. These requirements became effective as of December 21, 2024.
The definition of “Private Information” under the SHIELD Act was expanded to explicitly include medical and health insurance information. Under the SHIELD Act, notice of a breach of any Private Information is required to be provided to the affected resident. Under the amended statute, Private Information now includes personal information consisting of “…(v) medical information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a health care professional; or (vi) health insurance information including an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify an individual or any information in an individual’s application and claims history, including but not limited to, appeals history….”
Previously, the statute did not specifically require notifications for breaches that impacted medical or health insurance information. While HIPAA-covered entities are deemed compliant, and therefore exempt from the SHIELD Act’s security requirements with respect to electronic Protected Health Information (“ePHI”), healthcare providers and other organizations that process any New York resident’s Private Information must still comply with respect to non-ePHI, including the thirty (30) day notification requirement for any breach of Private Information.
For more information and regulatory guidance, please contact Robert Braumuller or Zaina S. Khoury at RBraumuller@bpslaw.com or ZKhoury@bpslaw.com.