New York Attorney General Eric Schneiderman said Thursday that there were a record number of data breaches in his state during the year 2017. In his report titled “Information Exposed: 2017 Data Breaches in New York State,” Schneiderman reveals that 1,583 breaches were reported to his office in 2017, impacting the data of 9.2 million New Yorkers.
Indicating that current laws are inadequate, Schneiderman's office also introduced new legislation with stricter reporting requirements for any organization doing business with New York residents:
However, current law does not require most companies to maintain reasonable data security, except if the company collects social security numbers. Companies also are not required to report breaches of certain critical data types, including username-and-password combinations, and biometric data like the fingerprint you use to unlock an iPhone.
To address these inadequacies in the law, my office introduced the Stop Hacks and Improve Electronic Data security, or SHIELD Act, which would require companies to adopt administrative, technical, and physical safeguards for sensitive data. These standards would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not.
The standards are tailored to the sensitivity of the data retained and the size and complexity of the business. The SHIELD Act also expands the types of data that trigger reporting requirements in the event of exposure to include username-and-password combinations, biometric data, and HIPAA-covered health data.
My office is also preparing new legislation that would require companies like Facebook to notify my office, and in turn consumers, as soon as they learn that their users’ personal data has been misused.
With an increasing number of states across the nation introducing their own information and data security regulations, where does this leave HIPAA? It is crucial for healthcare entities to understand the requirements of each regulation but following one does not mean the other can be ignored.