Earlier this year, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), amending New York State’s existing data breach notification law and creating new data security requirements for businesses collecting private information on New York Residents. 

Today, the breach notification provisions of that law went into effect. 

Overview of the New York SHIELD Act:

The SHIELD Act (New York Senate Bill S5575B) amends the current data Breach Law in New York State, N.Y. Gen. Bus. Law § 899-aa

Signed: Jul 25, 2019

Effective: Oct 23, 2019

Alignment with previously identified Radar regulatory trends

  • Expanded scope of personal information: The definition of personal information has been expanded to include online credentials and biometric data under this act. 
  • Notification Requirements to the State Attorney General Added: The act imposes new data breach reporting requirements for covered entities under HIPAA. HIPAA covered entities must report to the state Attorney General in the event of a data breach that requires notice to HHS under HIPAA. 
  • Notification Contents Specified: Individual notification contents are newly specified. 

Read the full text of the regulation here


What does this mean for privacy professionals? 

Under the new provision, a failure to report a breach under HIPAA could also lead to a failure to report to the New York Attorney General, compounding the risks and potential fines to the organization in the case of poorly managed privacy incident response. A violation of both HIPAA and the SHIELD act could also potentially trigger civil penalties under both measures. 

For more information about the impacts of this regulation, we recommend this article from the National Law Review

Breach Law Radar

Explore the regulatory trends: