The New York General Business Law \u00a7 899-aa, also known as, the New York Stop Hacks and Improve Data Security Act (\u201cSHIELD Act\u201d), was amended in three key aspects: (1) a new 30-day breach notification timeframe, (2) a new notice requirement for New York Department of Financial Services (\u201cDFS\u201d) regulated entities, and (3) an amended definition of \u201cPrivate Information.\u201d<\/p>\n
The SHIELD Act requires persons and businesses that own or license data containing Private Information to notify affected New York residents, certain state regulators, and consumer reporting agencies following a security \u201cbreach\u201d of that information. The recent amendment now sets forth an explicit 30-day notification timeline, instead of the previous requirement to notify \u201cin the most expedient time possible and without unreasonable delay.\u201d The recent amendment to the SHIELD Act also introduces a new requirement for DFS-regulated entities that experience a breach to notify DFS, the New York State attorney general, the New York Department of State and the state police. These requirements became effective as of December 21, 2024.<\/p>\n
The definition of \u201cPrivate Information\u201d under the SHIELD Act was expanded to explicitly include medical and health insurance information. Under the SHIELD Act, notice of a breach of any Private Information is required to be provided to the affected resident. Under the amended statute, Private Information now includes personal information consisting of \u201c\u2026(v) medical information regarding an individual\u2019s medical history, mental or physical condition or medical treatment or diagnosis by a health care professional; or (vi) health insurance information including an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify an individual or any information in an individual\u2019s application and claims history, including but not limited to, appeals history\u2026.\u201d<\/p>\n
Previously, the statute did not specifically require notifications for breaches that impacted medical or health insurance information. While HIPAA-covered entities are deemed compliant, and therefore exempt from the SHIELD Act\u2019s security requirements with respect to electronic Protected Health Information (\u201cePHI\u201d), healthcare providers and other organizations that process any New York resident\u2019s Private Information must still comply with respect to non-ePHI, including the thirty (30) day notification requirement for any breach of Private Information.<\/p>\n
For more information and regulatory guidance, please contact Robert Braumuller or Zaina S. Khoury at RBraumuller@bpslaw.com<\/a> or ZKhoury@bpslaw.com<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" The New York General Business Law \u00a7 899-aa, also known as, the New York Stop Hacks and Improve Data Security Act (\u201cSHIELD Act\u201d), was amended in three key aspects: (1) a new 30-day breach notification timeframe, (2) a new notice requirement for New York Department of Financial Services (\u201cDFS\u201d) regulated entities, and (3) an amended […]<\/p>\n","protected":false},"author":6,"featured_media":5511,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[82],"tags":[],"class_list":["post-5504","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-client-alert"],"acf":[],"yoast_head":"\n