On July 25, 2019, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and the Identity Theft Prevention and Mitigation Services Act were signed into law in the State of New York. Both Acts strengthen cybersecurity and consumer privacy protections for New York state residents.
The SHIELD Act
The SHIELD Act amends New York’s breach notification law by:
- Expanding the definition of “private information” to include:
- Account numbers, credit or debit card numbers, if such numbers could be used to access a financial account without additional information (security code, password, etc.);
- Biometric data; and
- Login credentials to an online account with their corresponding security questions and answers
- Expanding the definition of a data breach to include unauthorized access to private information, not just the unauthorized acquisition of private information.
- Creating exceptions to breach notification requirements in cases where:
- The exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons; and
- Businesses regulated under HIPPA or GLBA, or other data security rules and regulations of any federal or New York state agency, that provide notice of a breach to affected individuals in compliance with their regulatory obligations do not need to provide separate notice to affected individuals under New York’s breach law.
- Note: the Act does not eliminate the requirement to notify the New York Attorney General, Department of State, and New York State Police in such event.
- Expanding the type of information that must be included in the notice to affected individuals following a breach. Notices must include the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information.
- Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in the State of New York.
- Requiring individuals or businesses that own or license computerized data, which includes private information of a New York state resident, to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. Note: Businesses regulated under the GLBA, HIPPA, and other data security rules and regulations of any federal or New York state agency are deemed in compliance with this requirement.
The SHIELD Act will take effect on March 21, 2020. For more information, please visit:https://legislation.nysenate.gov/pdf/bills/2019/S5575B
The Identity Theft Prevention and Mitigation Services Act
The Act requires credit reporting agencies that suffer a breach of information containing social security numbers to provide:
- 5 years of identity theft prevention services, and if applicable, identity theft mitigation services to affected customers; and
- Consumers with the right to freeze their credit at no cost.
The Identity Theft Prevention and Mitigation Services Act will take effect on September 23, 2019. For more information, please visithttps://legislation.nysenate.gov/pdf/bills/2019/S3582