Governor Signs Data Breach Bills
July 29th, 2019
This week, the Governor signed the Stop Hacks and Improve Electronic Data Security – or SHIELD – Act (S.5575B/A.5635), which imposes stronger obligations on businesses handling private data to provide notification to affected consumers when there is a security breach. The Governor also signed legislation (A.2374/S.3582) requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency’s system.
- The Shield Act (S.5575b/A.5635) expands the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers. The bill also broadens the definition of a data breach to include unauthorized “access” to private information from the current “acquired” standard. The bill will apply the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State and updates the notification procedures companies and state entities must follow when there has been a breach of private information. The bill contains carve-outs for certain notification requirements for those already complying with certain state or federal regulations, such as HIPAA or the Gramm-Leach-Bliley Act. The majority of the provisions of this bill will take effect on the ninetieth day after it shall have become law (10/23/19).
- The other bill signed by the Governor (A.2374/S.3582) will require that when a credit reporting agency suffers a breach of information containing consumer social security numbers, the credit reporting agency must provide lifetime identity theft prevention services, and if applicable, identity theft mitigation services to affected customers for a period of up to five years. Additionally, the bill will prohibit fees relating to the implementation and lifting of security freezes on consumer credit reports, if those reports were part of a breach of information containing social security numbers. This law will take effect on the sixtieth day after it shall have become law (9/23/19) and will apply to any breach of the security of the system of a consumer credit reporting agency that occurred no more than three years prior to the effective date of this act.
The Governor said:
“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure. The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”