New York state now has legislation to protect New Yorkers against security breaches.
The Stop Hacks and Improve Electronic Data Security—or SHIELD Act—imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach.
Gov. Andrew Cuomo also signed legislation requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency’s system.
“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
Atty. Gen. Letitia James said the SHIELD Act is now “the law of the land and provides better protections for consumers’ private information. New Yorkers deserve the peace of mind that companies will be held accountable for securing their information.
In late July 2017, one of the three main credit reporting agencies, Equifax Inc., experienced a major data breach involving personal information, including social security numbers, state officials said. The magnitude of this breach is still unknown, but the company’s response was insufficient and it is unacceptable that consumers were left to bear the burden to protect their own identities even though their information was stolen at no fault of their own.
On July 22, Cuomo, the State Department of Financial Services and James announced a $19.2 million settlement with Equifax over the data breach. As part of that settlement, Equifax agreed to provide New York consumers with credit monitoring services and free annual credit reports, and the company will pay restitution to consumers affected by the breach.
Officials said the legislation imposes stronger obligations on businesses handling private data of customers, regarding security and proper notification of breaches by:
• Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers.
• Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information.
• Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York state.
• Expanding the definition of a data breach to include unauthorized access to private information.
• Creating reasonable data security requirements tailored to the size of a business.
“It is critical that our laws keep pace with the rapidly changing world of technology. The SHIELD Act raises security standards so that no more New Yorkers are needlessly victimized by data breaches and cyber-attacks,” said Sen. Kevin Thomas, chairman of the Committee on Consumer Protection.
As for the Identity Theft Prevention and Mitigation Services law, officials said it establishes the minimal amount of long-term protections to consumers who are affected by a data breach from a credit reporting agency. It requires credit reporting agency that suffers a breach of information containing consumer social security numbers to provide five-year identity theft prevention services, and if applicable, identity theft mitigation services to affected customers.
Additionally, the legislation requires credit reporting agencies to inform consumers on credit freezes of a breach of data involving a social security number, and provides consumers with the right to freeze their credit at no cost.
Sen. Leroy Comrie said, “From the initial Equifax hack to the company’s inadequate response, it is clear that New York state needed to be doing much more to protect consumers from data thieves. In the ever evolving world of emerging technology, it is imperative that safeguards are in place to prevent personal information like social security numbers and banking information from so easily ending up in the hands of hackers.
“I was proud to advance legislation that will require credit reporting agencies provide lifetime identity theft protection and risk mitigation services in the event that confidential consumer data is breached.”
Assembly Member Jeffrey Dinowitz said the vast majority of consumers have had their personal information violated due to a data breach at some point in their lifetime. “One of the worst breaches on record occurred in 2017 when one of the major credit reporting agencies in the country was breached and millions of consumers’ social security numbers and other sensitive information was stolen. This legislation will ensure that impacted individuals receive appropriate credit monitoring and identity theft mitigation services when a credit reporting agency loses their social security number.”