Governor Andrew M. Cuomo recently signed legislation to protect New Yorkers against security breaches.

Cuomo signed the Stop Hacks and Improve Electronic Data Security — or SHIELD — Act (S.5575B/A.5635), which imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach. Cuomo also signed legislation (A.2374/S.3582) requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency’s system.

“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”

In late July 2017, one of the three main credit reporting agencies, Equifax Inc., experienced a major data breach involving personal information, including social security numbers. The state recently reached a $19.2 million settlement with Equifax over the data breach. As part of that settlement, Equifax agreed to provide New York consumers with credit monitoring services and free annual credit reports, and the company will pay restitution to consumers affected by the breach.

SHIELD ACT (S.5575B/A.5635)

The legislation passed the state Assembly, 147-1, with both Assemblymen Andrew Goodell, R-Jamestown, and Joe Giglio, R-Gowanda, voting in favor. The legislation imposes stronger obligations on businesses handling private data of customers, regarding security and proper notification of breaches by:

¯ Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers;

¯ Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information;

¯ Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York state;

¯ Expanding the definition of a data breach to include unauthorized access to private information; and

¯ Creating reasonable data security requirements tailored to the size of a business.

IDENTITY THEFT PREVENTION AND MITIGATION SERVICES (A.2374/S.3582)

The legislation passed the state Assembly, 143-1, with both Assemblymen Andrew Goodell, R-Jamestown, and Joe Giglio, R-Gowanda, voting in favor. The legislation establishes the minimal amount of long-term protections to consumers who are affected by a data breach from a credit reporting agency.

It requires credit reporting agency that suffers a breach of information containing consumer social security numbers to provide lifetime identity theft prevention services, and if applicable, identity theft mitigation services to affected customers.

The legislation would also prohibit fees relating to the implementation and lifting of security freezes on consumer credit reports, if those reports were part of a breach of information containing social security numbers. Additionally, the legislation requires credit reporting agencies to inform consumers on credit freezes of a breach of data involving a social security number, and provides consumers with the right to freeze their credit at no cost.