Companies will have to be more forthcoming with New Yorkers about cyber-attacks that jeopardize private data under a pair of new laws signed Thursday by Gov. Andrew Cuomo.
The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, updates New York’s laws concerning notification requirements and consumer data protection obligations and broadens the state Attorney General’s oversight regarding data breaches impacting New Yorkers.
“The SHIELD Act is now the law of the land and provides better protections for consumers’ private information,” Attorney General Letitia James said. “New Yorkers deserve the peace of mind that companies will be held accountable for securing their information.”
The law, inspired by the massive breach of credit-rating company Equifax, expands the definition of data to include biometric data, as well as email addresses, passwords and security questions.
James announced earlier this week that Equifax agreed to pay up to $700 million to resolve federal and state investigations into the 2017 hack that compromised the sensitive information of more than 140 million people.
Instead of allowing consumers to seek redress through civil litigation, the law grants James’ office greater enforcement power and ups possible civil penalties companies can face from $150,000 to $250,000 for failing to notify consumers, which would then be awarded as damages to New Yorkers whose data was compromised.
The new law also widens the parameters of what counts as a breach, making it so that companies must notify consumers when any of their information is accessed, as opposed to being acquired. It also requires that companies implement “reasonable safeguards” to protect consumer data.
“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”
The second law calls on consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who’ve been affected by a security breach.
The bill requires credit reporting agencies to inform consumers on credit freezes of a breach of data involving a social security number. The law also provides consumers with the right to freeze their credit at no cost.
“This legislation will ensure that impacted individuals receive appropriate credit monitoring and identity theft mitigation services when a credit reporting agency loses their social security number,” said sponsor Assembly Member Jeff Dinowitz―Government Technology