New York State Set to Impose New Health Data Security Breach Rules

As an October 8 report in Bloomberg Law online notes, “Businesses hit with a biometric or health data security breach could face heightened scrutiny from New York’s attorney general under changes to the state’s notification law, privacy attorneys said. As of Oct. 23, companies whose customers include New York residents must alert Attorney General Letitia James (D) to such breaches under the New York SHIELD Act. Companies that collect health data will now have to report data breaches to the New York attorney general, in addition to federal authorities,” Daniel R. Stoller, Bloomberg Law’s chief legal editor reported.

As Stoller noted, “James’ office has been aggressive in probing data breaches, including recent investigations into Equifax Inc., Dunkin Donuts Inc., and Capital One Financial Corp. The state’s top cop is unlikely to let up on this pressure and may use the new data breach notice law to go after more companies for data breach notice failures, privacy attorneys said. Representatives for the New York Attorney General’s Office didn’t immediately respond to requests for comment.”

Further, Stoller wrote, “Privacy attorneys say businesses should revisit their data breach response plans and those collecting biometric or health information should carefully secure this data to limit state attorneys general enforcement risk. Under the SHIELD Act, companies must notify James following a data breach for a wide group of sensitive data, including Social Security numbers and driver’s license data. The increased transparency is likely to lead to more enforcement actions for companies that don’t do enough to protect biometric or health, privacy attorneys said. Companies also must adopt reasonable security measures by March 2020, among other new rules.”

And Stoller quoted Joseph J. Lazzarotti, a privacy principal at Jackson Lewis in New Jersey, who told him that businesses that have good processes and perform due diligence should face minimal regular risk, as they’ll be better prepared for any post-breach enforcement investigations.