How the SHIELD Act Expands Legal Reach on Breaches

New York SHIELD Act image

Interested in some (thankfully) non-pandemic related news? New York State’s SHIELD Act is in effect as of March 21, 2020. The SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) takes several actions, including:

  • broadening the definition of “Private Information”,
  • expanding the definition of breach, and
  • expanding the reach of the law to include “any person or business that owns or licenses private information of a New York resident.”

In our view, the most important thing that the SHIELD Act does is require companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. Companies must implement a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal. The New York state attorney general can bring action to compel compliance and seek damages.

Organizations regulated under HIPAA, and in compliance with the Rule, are exempt from this requirement. 

The establishment of a data security program resembles the Massachusetts state law that requires employers to develop and document a written information security program – a WISP.  Massachusetts added teeth to the law last year when it required that an Organization’s WISP be submitted to the state whenever an organization reports a breach.

In the end, call it a data security program or a WISP, these requirements equate to having current, thorough policy, procedures, and plans – that your organization lives up to.  If you want to rely on your HIPAA policies and procedures, make sure that they comply with the HIPAA Security Rule.

For example, 45 CFR §164.316 requires organizations to review their security policies “periodically.” Your policies themselves may define “periodically” as annually, or at material changes but no less frequently than once every 24 months, let’s say.  In either case, if you last reviewed your policies at their adoption in 2013, you’re not in compliance with the Rule. 

Written security programs aren’t complicated.  You get to define how you will meet information security requirements – go ahead, write it down, and then walk your talk!

Did this article remind you to update your policies and procedures? We can help you get those essentials current. Contact Apgar and Associates at 503-384-2538 today to talk about your privacy and information security project.