By: Kara K. Trowell
On July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which significantly amended the state’s data breach notification law to impose additional data security and data breach notification requirements on covered entities.
Under the new law, the definitions of “private information” and “breach of the security system” have been revised in ways that broaden the circumstances that qualify as a data “breach” and could trigger the notification requirements. First, private information has been expanded to include:
- (a) financial account numbers that can be used alone to access a financial account;
- (b) biometric data used to authenticate an individual’s identity;
- (c) standalone data such as a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
- (d) unsecured protected health information covered under HIPAA.
These changes effectively expand the types of situations covered by the law that could result in a breach of system security and trigger the notification requirements.
Second, the circumstances that qualify as a “breach” have been expanded to now include incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information.