S.5575B/A.5635 - or SHIELD Act - Imposes Stronger Obligations on Businesses Handling Private Customer Data to Provide Proper Notification of Security Breaches
A.2374/S.3582 Requires Consumer Credit Reporting Agencies to Offer Identity Theft Prevention and Mitigation Services to Consumers Affected by a Security Breach
Governor Andrew M. Cuomo today signed legislation to protect New Yorkers against security breaches. The Governor signed the Stop Hacks and Improve Electronic Data Security - or SHIELD - Act (S.5575B/A.5635), which imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach. The Governor also signed legislation (A.2374/S.3582) requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency's system.
"As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure," Governor Cuomo said. "The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data."
Attorney General Letitia James said, "The SHIELD Act is now the law of the land and provides better protections for consumers' private information. New Yorkers deserve the peace of mind that companies will be held accountable for securing their information. We thank Governor Cuomo and the bill's co-sponsors, Senator Thomas and Assembly Member DenDekker, for their advocacy and support for this important piece of legislation."
In late July 2017, one of the three main credit reporting agencies, Equifax Inc., experienced a major data breach involving personal information, including social security numbers. The magnitude of this breach is still unknown, but the company's response was insufficient and it is unacceptable that consumers were left to bear the burden to protect their own identities even though their information was stolen at no fault of their own. On July 22, 2019, Governor Cuomo, the State Department of Financial Services and State Attorney General James announced a $19.2 million settlement with Equifax over the data breach. As part of that settlement, Equifax agreed to provide New York consumers with credit monitoring services and free annual credit reports, and the company will pay restitution to consumers affected by the breach.
SHIELD Act (S.5575B/A.5635)
New York's data breach notification law is outdated and does not keep pace with current technology. A growing number of states already require reasonable data security protections without imposing duplicate obligations on those already subject to other federal or New York State data security regulations and without imposing excessive costs on small business.
This legislation imposes stronger obligations on businesses handling private data of customers, regarding security and proper notification of breaches by:
- Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers;
- Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information;
- Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State;
- Expanding the definition of a data breach to include unauthorized access to private information; and
- Creating reasonable data security requirements tailored to the size of a business.
This bill will take effect 240 days after becoming law.
Senator Kevin Thomas, Chairman of the Committee on Consumer Protection said, "It is critical that our laws keep pace with the rapidly changing world of technology. The SHIELD Act raises security standards so that no more New Yorkers are needlessly victimized by data breaches and cyber-attacks. I want to thank the Governor for his leadership as we work to modernize our laws and protect the personal data of all New Yorkers."
Assembly Member Michael DenDekker, Chair, Committee on Consumer Affairs and Protection, said, "I applaud Governor Cuomo for signing the SHIELD ACT into law. I was proud to partner with the Attorney General's Office, the Senate and the Governor's Office to introduce this legislation that will help protect consumers personal information and hold those entrusted with sensitive private data to certain standards with regard to its' proper storage and protection. The bill also outlines if a breach of information occurs, that proper notifications must be made in a timely manner."
Identity Theft Prevention and Mitigation Services (A.2374/S.3582)
This legislation establishes the minimal amount of long-term protections to consumers who are affected by a data breach from a credit reporting agency. It requires credit reporting agency that suffers a breach of information containing consumer social security numbers to provide five-year identity theft prevention services, and if applicable, identity theft mitigation services to affected customers. Additionally, the legislation requires credit reporting agencies to inform consumers on credit freezes of a breach of data involving a social security number, and provides consumers with the right to freeze their credit at no cost.
The bill will take effect 60 days after becoming law, and applies to any breach of the security of a consumer credit reporting agency that occurred no more than three years prior to the effective date of this act.
Senator Leroy Comrie said, "From the initial Equifax hack to the company's inadequate response, it is clear that New York State needed to be doing much more to protect consumers from data thieves. In the ever evolving world of emerging technology, it is imperative that safeguards are in place to prevent personal information like social security numbers and banking information from so easily ending up in the hands of hackers. I was proud to advance legislation that will require credit reporting agencies provide lifetime identity theft protection and risk mitigation services in the event that confidential consumer data is breached. I thank Governor Cuomo for signing this bill into law to help protect New Yorkers."
Assembly Member Jeffrey Dinowitz said, "I applaud Governor Cuomo for signing our legislation into law. The vast majority of consumers have had their personal information violated due to a data breach at some point in their lifetime. One of the worst breaches on record occurred in 2017 when one of the major credit reporting agencies in the country was breached and millions of consumers' social security numbers and other sensitive information was stolen. This legislation will ensure that impacted individuals receive appropriate credit monitoring and identity theft mitigation services when a credit reporting agency loses their social security number. Credit reporting agencies should be held to the highest standard as they play such a vital role protecting our data. This vital consumer legislation is an important step in holding these entities accountable when they fail to protect our information from bad actors."