NY Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security - or SHIELD - Act, which imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach.

The Governor also signed legislation (A.2374/S.3582) requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency's system.

"As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure," Governor Cuomo said. "The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data."

In late July 2017, one of the three main credit reporting agencies, Equifax Inc., experienced a major data breach involving personal information, including social security numbers. The magnitude of this breach is still unknown, but the company's response was insufficient and it is unacceptable that consumers were left to bear the burden to protect their own identities even though their information was stolen at no fault of their own. On July 22, 2019, Governor Cuomo, the State Department of Financial Services and State Attorney General James announced a $19.2 million settlement with Equifax over the data breach. As part of that settlement, Equifax agreed to provide New York consumers with credit monitoring services and free annual credit reports, and the company will pay restitution to consumers affected by the breach.

SHIELD Act (S.5575B/A.5635)

New York's data breach notification law is outdated and does not keep pace with current technology. A growing number of states already require reasonable data security protections without imposing duplicate obligations on those already subject to other federal or New York State data security regulations and without imposing excessive costs on small business.

This legislation imposes stronger obligations on businesses handling private data of customers, regarding security and proper notification of breaches by:

• Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers;
• Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information;
• Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State;
• Expanding the definition of a data breach to include unauthorized access to private information; and
• Creating reasonable data security requirements tailored to the size of a business.

The bill will take effect 240 days after becoming law.