Compliance with the New York SHIELD Act Data Security Provisions Required by March 2020

The New York Governor signed the SHIELD Act or Stop Hacks and Improve Electronic Data Security Act into law last July 2019. The New York SHIELD Act broadened the requirements of breach notification for businesses that gather the personal data of residents in New York. The data security provisions of the New York SHIELD Act became effective starting March 21, 2020.

There are businesses exempted from the requirements of the New York SHIELD Act including

  • small businesses that have less than 50 staff
  • small businesses having fewer than $3 million in gross income for the last 3 fiscal years
  • small businesses whose year-end total assets are under $5 million

With the above-mentioned businesses, their data security program may be scaled based on the size and complex nature of the business, the types of business activities, and the sensitivity of the private information obtained.

For the majority of HIPAA-covered entities, compliance is going to be quite simple. Entities that comply with the Health Insurance Portability and Accountability Act (HIPAA) are regarded as compliant with the New York SHIELD Act.

New York SHIELD Act Requirements for HIPAA Covered Entities

Compliance with HIPAA is not a guarantee that an entity is compliant with the New York SHIELD Act. Although there is a certain overlap, the coverage of the New York SHIELD Act is different from the data types covered by HIPAA. HIPAA-covered entities collecting the personal information of New York State residents must ensure compliance with the data security provisions of the SHIELD Act for those data types. See the picture below.

One good example of when the SHIELD Act is applicable and HIPAA doesn’t is for IT systems that store employee information but not protected health information (PHI) like the Social Security numbers or driver’s license numbers. Though the HIPAA does not cover the information, the SHIELD Act calls for the implementation of reasonable administrative, technical, and physical safety measures to make sure of the protection of data. See the Data Security Requirements of the SHIELD Act in the image below.