On July 25, 2019, New York enacted a pair of data security laws. First, the Stop Hack and Improve Electronic Data Security Act (SHIELD Act) updates New York’s data security requirements. Second, the Identity Theft Prevention and Mitigating Services Act imposes obligations on credit reporting agencies that experience a breach involving Social Security numbers.
The SHIELD Act
The SHIELD Act goes into effect on March 21, 2020. It brings New York in line with other states’ updates to information security and breach notification statutes. The SHIELD Act makes the following key changes to New York’s data breach notification law:
- Requires “reasonable security.” The most important change to New York law is the SHIELD Act’s requirement that covered entities maintain reasonable administrative, technical, and physical safeguards to protect “private information.” The SHIELD Act provides some guidance on what constitutes such “reasonable safeguards.” Notably this requirement is less stringent for small businesses and excludes entities subject to other data security regulations, such as the GLBA or HIPAA.
- Expands the definition of “private information.” Private information covered by New York’s data breach law will now include biometric information, some account numbers and credit/debit card numbers without their PIN or password information and username/email address and password combination or any other combined information, such as security questions and answers, that provides access to an account. This broader definition of private information is still not as broad as the definitions of analogous terms in other states, such as Illinois and Rhode Island.
- Expands the definition of “breach of the security of the system.” While New York previously only required notification when a third party acquired covered information, the SHIELD Act changes the definition of breach to cover unauthorized access to covered information. The law goes on to list factors to determine whether there has been a breach, including “indications that the information was viewed, communicated with, used, or altered” without authorization.
- Expands breach notification requirements. Under the SHIELD Act, any person or entity with a New York resident’s private information must comply with notification obligations, not just parties that “conduct business” in New York. The law also prescribes additional information that must be included in any breach notice to consumers, and requires a covered entity that notifies HHS of any breach to notify the New York Attorney General’s Office as well.
While the SHIELD Act, first proposed in the wake of the Equifax breach, undoubtedly expands data security obligations under New York law, it does not create entirely new obligations on businesses, as businesses must already implement “reasonable security” under Massachusetts and California law. The SHIELD Act primarily enhances the New York Attorney General’s ability to enforce data breaches, as the law does not create a private right of action.
The Identity Theft Prevention and Mitigating Services Act
The Identity Theft Prevention and Mitigating Services Act, also a response to the Equifax breach, requires credit reporting agencies that suffer a breach exposing Social Security numbers to provide identity-theft protection services for five years and identity theft mitigation services, if applicable. The law also guarantees affected consumers the right to a free credit freeze.
In practical terms, the passage of these laws requires companies to update their breach notification and response process for New York State residents. If a company already has a security program in place that satisfies other states’ legal requirements, the company may not need to do much else to ensure compliance at this time. However, as more states roll out new data security requirements, this may be the right time for companies to reevaluate their security practices to ensure compliance with the SHIELD Act and other data security laws.