Personal information in the United States is currently protected by a patchwork of industry-specific federal laws and state legislation whose scope and jurisdiction vary. The challenge of compliance for organizations that conduct business across all 50 states is therefore considerable.
Even though many countries have laws that mandate data breach notification, data breach notifications are not mandatory in most countries and/or are mandatory for the private sector and not the public sector in other countries, or only for certain sectors in society.
Data breach notification laws include provisions relating to the application of these laws, such as the people, agencies and/or authorities the laws apply to and what is considered a breach pursuant to these laws. These laws require entities that have been subjected to a breach (and are covered by the law) to contact the individuals whose data was breached and other relevant parties and inform them about the incident.
Data breach notification laws also include exceptions to the notification requirement. Some data breach notification laws do not require notification if it is determined that the breach will likely not harm the affected parties. In other laws, notification occurs when a breach reaches a particular threshold.
Data breach notification laws in New York
Some of the TOP laws you have to be in compliance with if you live in New York:
- HIPAA: In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires the notification of affected parties within 60 days of the breach. However, in cases where more than 500 individuals’ health data was accessed, the Department of Health and Human Services’ Office for Civil Rights and the media must be contacted within 60 days of the breach, if the personal health information of fewer than 500 people was breached only the Department of Health and Human Services’ Office for Civil Rights should be contacted no later than 60 days after the start of the next calendar year.
- The SHIELD Act Impacts New York Businesses Across Industries: Back in the spring of 2019, the New York legislature passed Senate Bill 5575, the Stop Hacks and Improve Electronic Data Security Act, aka the SHIELD Act. Fines can be issued under the Act issued where a business has failed to properly notify people affected by a data breach. The fines will be a civil penalty of either: $5,000, or $20 per violation (i.e., per person who was not properly notified of the breach), up to a maximum of $250,000. The SHIELD Act impose specific cybersecurity requirements and applies to any person or business that owns or licenses computerized data, which includes private information of New York residents including biometric data, unsecured health information, financial account numbers and email addresses along with corresponding passwords or security questions and answers.
- Under New York’s Department of Financial Services Cybersecurity regulation (23NYCRR 500) all covered entities are required to certify each year that they comply with the regulation. All regulated entities will need to develop a cybersecurity policy and implement an incident response plan that includes a notification system for data breaches and cybersecurity events within 72 hours. The DFS 23 NYCRR 500 applies to all regulated entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the financial Services Law”, including: State banks, Licensed Lenders, Private Banks, Foreign Banks operating in New York, Mortgage Companies, Insurance companies, Trust companies and Service providers.