November 20, 2019

November 19, 2019

Subscribe to Latest Legal News and Analysis

November 18, 2019

Subscribe to Latest Legal News and Analysis

SHIELD Act Becomes Law, Expanding Breach Notification and Data Security Requirements

On July 25, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The SHIELD Act modifies the current Breach Notification Law to expand the types of data elements that are considered “private information” and to expand the data breach disclosure requirements for individuals and businesses. Moreover, the law creates a requirement that owners or licensors of private information meet a new “reasonable security requirement.”

Breach Disclosure

The SHIELD Act updates the breach notification requirements so that they apply to all individuals or businesses who own or license private information of a New York resident, not just to those that “conduct business” in New York State and expands the current law’s definitions of “private information” and “breach.” These changes have far reaching implications to persons or businesses who own or license private information of New Yorkers and significantly lowers the threshold of what is considered a breach that triggers a disclosure to affected persons.

Previously, “private information” referred to a combination of personally identifying information paired with a social security number, or driver’s license number, or credit card number along with its security code. The SHIELD Act keeps the same combination but also considers personal identifiers in tandem with credit card numbers without security codes, and biometric data—electronic measurements of physical characteristics such as a finger print, voice print, or retina or iris image—to be “private information.” Furthermore, under the new law, “private information” also means “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.”  Additionally, the law expands the definition of a “breach.” Previously, a breach occurred when private data was acquired by an unauthorized individual. Under the new law any time private data is accessed or acquired without authorization there is a breach.

Notices of a breach sent by health care entities to affected persons that are consistent with the requirements of the “regulations implementing the Health Insurance Portability and Accountability Act of 1996 [(HIPAA)] (45 C.F.R. parts 160 and 164), … and the Health Information Technology for Economic and Clinical Health Act [(HITECH)]” are sufficient under the SHIELD Act. However, the law does require those covered entities to provide notification to the New York Attorney General’s Office within five (5) business days of notifying the Secretary of Health and Human Services.

Reasonable Security Requirements

Under the SHIELD Act, there are also new reasonable security requirements that every owner or licensor of private information must meet. Compliance requires the implementation of reasonable administrative, technological, and physical safeguards on all private information.

A New York health care entity in compliance with the security requirements for HIPAA and HITECH is considered a “compliant regulated entity,” which will be deemed in compliance with the new statutory reasonable security requirements.

In light of the unique compliance methods offered by the SHIELD Act for health care entities already regulated by HIPAA and HITECH, health care entities should ensure their data security programs are in compliance with HIPAA and HITECH and also be vigilant of data breaches outside their scope which may also require disclosure under the SHIELD Act.

This post was co-authored by Michael Lisitano, legal intern at Robinson+Cole. Michael is not yet admitted to practice law.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.


About this Author

David R. Gilboa Robinson Cole Health Law Associate

David Gilboa represents hospitals, health systems, physician groups, home care agencies, skilled nursing facilities, and other health care entities (both for profit and not-for profit) on a variety of health law and business issues, including transactional, corporate, regulatory, and compliance matters. He has extensive experience representing healthcare providers in all legal and regulatory matters. David is a member of the firm’s Health Law Group. 
David represents medical practices, healthcare agencies, skilled nursing facilities and...

Leslie Levinson Health Business Attorney

Leslie Levinson is co-chair of the firm's Transactional Health Law Group and a member of both the Health Law and Business Transaction Groups. He has represented private and public businesses throughout his more than 30-year career. Although Les maintains an active business law practice, he concentrates on the transactional, regulatory, and compliance representation of health care and life science clients, including home care and hospice companies, physician practices, hospitals, information technology and medical device companies, health care equipment providers, and health care investors and lenders. He brings a proactive approach to problem-solving. He assists clients by anticipating issues and implementing creative and cost-effective strategies and solutions.


Les has extensive experience in both health care and life science–related and non–health care industry transactions. He has completed more than 300 mergers and acquisitions and financing transactions. 

Mergers and Acquisitions

In his transactional practice, Les represents health care, life science, corporate and private equity clients, and other public and privately owned companies in a wide range of domestic and cross-border merger and acquisition transactions, including leveraged buyouts. He advises buyers and sellers on structuring transactions and negotiating acquisition and financing agreements.

Venture Capital and Equity Financings

Les counsels emerging, high-growth companies and entrepreneurs in capital raise transactions, including advice in connection with investment purchase agreements, convertible notes, charter documents, stockholder agreements, and operating agreements.

General Corporate Matters

Les also maintains an active corporate and business law practice, with an emphasis on transactional matters, including M&A for both public and private companies, securities matters, credit and finance transactions, restructurings and workouts, commercial and business agreements of all kinds, and business counseling. He regularly counsels boards and board committees, and he has served and continues to serve as corporate secretary to public and private companies.


Les provides counsel to health care providers on federal and state licensure change of control, Medicare and Medicaid fraud and abuse, compliance with the Stark law, false claims, licensure, government investigations, physician recruitment, reimbursement, privacy of medical information, compliance program development, self-disclosures, and general federal and state health care compliance counseling.

Les is a frequent author, speaker, and commentator on health care and business matters as well as a contributor to Robinson+Cole’s health law blog, Health Law Diagnosis. Prior to joining the firm, he was a partner at Edwards Wildman, where he was the chair of the health care practice. Les serves on a number of outside advisory boards, including the National Advisory Board of the Berman Institute on Bioethics at Johns Hopkins University, Bioethics International, and DealZumo.


Case Western Reserve University School of Law 

University of Wisconsin 


  • State of New York