Governor Signs Data Breach Bills

July 29th, 2019

• The Shield Act (S.5575b/A.5635) expands the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers. The bill also broadens the definition of a data breach to include unauthorized “access” to private information from the current “acquired” standard. The bill will apply the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State and updates the notification procedures companies and state entities must follow when there has been a breach of private information. The bill contains carve-outs for certain notification requirements for those already complying with certain state or federal regulations, such as HIPAA or the Gramm-Leach-Bliley Act. The majority of the provisions of this bill will take effect on the ninetieth day after it shall have become law (10/23/19).

• The other bill signed by the Governor (A.2374/S.3582) will require that when a credit reporting agency suffers a breach of information containing consumer social security numbers, the credit reporting agency must provide lifetime identity theft prevention services, and if applicable, identity theft mitigation services to affected customers for a period of up to five years. Additionally, the bill will prohibit fees relating to the implementation and lifting of security freezes on consumer credit reports, if those reports were part of a breach of information containing social security numbers. This law will take effect on the sixtieth day after it shall have become law (9/23/19) and will apply to any breach of the security of the system of a consumer credit reporting agency that occurred no more than three years prior to the effective date of this act.