New York Enacts New Data Security Requirements

New York state’s data privacy and security protections will be strengthened over the next year as businesses prepare to implement two bills on the topic signed by Gov. Andrew Cuomo on Thursday.

Both bills were inspired in part by the data breach at Equifax in 2017, when the personal information of more than half the adult population in the U.S. was exposed in what’s been considered one of the largest digital security events in history.

The first bill, called the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, will broaden the definition of what’s considered a data breach and set new requirements for when consumers should be notified.

The law, importantly, does not allow a private right of action, meaning individuals can’t bring civil litigation against companies that don’t take the legally prescribed steps to protect their data. Enforcement, instead, will be exclusively handled by the state Attorney General’s Office.

New York Attorney General Letitia James was a driving force behind the bill’s passage this year, nearly two years after it was first proposed.

“The SHIELD Act is now the law of the land and provides better protections for consumers’ private information,” James said. “New Yorkers deserve the peace of mind that companies will be held accountable for securing their information.”

Companies will now have to notify consumers of a data breach when their information is accessed, even if it was just viewed during the event but not obtained. The previous standard only required that consumers be notified when their data was acquired by attackers.

The new law will also expand the notification requirements to companies outside New York, meaning that the statute will have a global reach. Any company, regardless of where they’re based, will be required to notify New York consumers when their data has been accessed. The company does not have to have a physical space in New York to be subject to that mandate.

Notice requirements for the scope of information accessed through a data breach will also be changed. Consumers will now have to be notified if attackers access biometric information, like fingerprints, voice prints and other unique characteristics.

Companies will also be required to implement new security safeguards over the next eight months that comply with the new law. That part of the bill takes effect in March 2020.

The second bill is shorter, and relates to credit reporting agencies in particular. The law will require consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who’ve been affected by a security breach of that company’s data.

Credit reporting agencies will be required to provide identity theft prevention services for life under the bill and will be prohibited from charging fees during security freezes on consumer credit reports.

That bill was sponsored by State Sen. Leroy Comrie, D-Queens, and Assemblyman Jeffrey Dinowitz, D-Bronx. It takes effect in two months, according to the legislation.

Cuomo, in a statement, said the legislation is another way for New York to add an extra layer of accountability when it comes to consumer data.

“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”