New York State has become the latest in a long line of states to tweak its law around data breach notification.
Governor Andrew Cuomo signed new legislation, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law last Thursday.
The bill, which passed through the state's Senate and Assembly in less than three months, will broaden the definition of information covered under the law and extend the notification requirement and enhance data security requirements for companies.
Under the legislation, data including biometric information and email addresses, along with passwords and security questions and answers, will be considered information under the notification law.
That’s in addition to personal information including:
- Social Security number;
- Driver’s license number or non-driver identification card number;
- Account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password.
The law also extends the notification requirement, applying it to any person or entity with private information of a New York resident, not just those that conduct business in the state.
Under the act, New York State will also revise how it interprets a security breach, essentially broadening the term to include any access of private information. Access alone, without the acquisition of data, doesn't qualify as a breach currently.
Under the SHIELD Act, organizations that own or license computerized data “that includes a New York resident’s private information" will need to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the information. The law recommends orgs look into performing risk assessments, employee training, and vendors who can maintain appropriate safeguards and disposal of private information to satisfy this part of the law.
In a separate action, the state's governor signed new legislation around identity theft prevention. Beginning next March, victims of a consumer credit data breach at a credit reporting agency will be able to seek five years of an identity theft service if their Social Security numbers have been compromised. Under the law, the Identity Theft Prevention and Mitigation Services Act, consumers will also be given the right to freeze their credit at no cost.
The act, largely spurred by missteps taken by Equifax's response to its massive 2017 breach, is specifically catered towards consumer credit reporting agencies.
"From the initial Equifax hack to the company's inadequate response, it is clear that New York State needed to be doing much more to protect consumers from data thieves. In the ever evolving world of emerging technology, it is imperative that safeguards are in place to prevent personal information like social security numbers and banking information from so easily ending up in the hands of hackers," Senator Leroy Comrie said of the law last week.
In lieu of a comprehensive federal data privacy law, states continue to introduce and refine their own individual laws as a way to protect the privacy of their residents.
