Governor Signs Law to Update Breach Notification Requirements

New York Governor Andrew M. Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act into law, with the new consumer privacy policy being designed to protect New Yorkers' private data and strengthen the state's data breach policies.

The legislation signing comes on the heels of the announcement of the $650 million settlement agreed upon by the Equifax credit reporting agency, U.S. states, and federal agencies following an investigation on the 2017 data breach that led to almost 150 million people having their personal information exposed.

The signed legislation, sponsored by State Senator Kevin Thomas, Chairman of Committee on Consumer Protection, expands "the scope of information subject to the current data breach notification law to include biometric information, and email addresses and their corresponding passwords or security questions and answers."

"It is critical that our laws keep pace with the rapidly changing world of technology. The SHIELD Act raises security standards so that no more New Yorkers are needlessly victimized by data breaches and cyber-attacks," said Senator Thomas.

Applies to all entities processing NY residents' private info

The S5575B/A5635B bill also increases civil penalties and widens the definition of a data breach to also apply "the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State."

"It also requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities," as per the purpose described by the SHIELD Act on the New York State Senate official website.

"As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure," said Governor Cuomo.

NY data breach notification law updates
NY data breach notification law updates

"The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data."

The newly signed legislation, which will take effect in 240 days, updates New York's data breach notification law to keep up with today's technology while making sure that no excessive costs are imposed to smaller businesses and duplicate obligations are avoided.

Identity theft protection bill also signed into law

The New York Governor also signed the S3582 Senate Bill into law that will provide reasonable consumer protections after a credit reporting agency (CRA) goes through a data breach that also involves social security numbers.

The signed bill, sponsored by State Senator Leroy Comrie, will take effect 60 days after being signed and requires CRAs to provide five-year identity theft prevention services, when and if applicable, identity theft mitigation services to impacted customers if their social security numbers are exposed in a breach.

"Additionally, the legislation requires credit reporting agencies to inform consumers on credit freezes of a breach of data involving a social security number, and provides consumers with the right to freeze their credit at no cost," says the press release.

"From the initial Equifax hack to the company's inadequate response, it is clear that New York State needed to be doing much more to protect consumers from data thieves," Senator Comrie stated.

"In the ever evolving world of emerging technology, it is imperative that safeguards are in place to prevent personal information like social security numbers and banking information from so easily ending up in the hands of hackers."

Image: iessi, Editing: BleepingComputer

Related Articles:

FTC Tells Equifax Victims to Opt for Credit Monitoring Over $125

Most 2020 Presidential Campaign Not Using Proper Email Security

Chrome to Add HTTP Cache Partitioning to Block Attacks, Tracking

Logins Stolen From Admin-Backdoored Club Penguin Rewritten Site

Enterprise Software May Transmit Data Without Your Knowledge