On Friday, July 26, 2019, New York Governor Andrew Cuomo signed two bills into law designed to enhance cybersecurity protections for New York residents. The legislation updates New York's data breach notification law.
The "Stop Hacks and Improve Electronic Data Security Act" (the "SHIELD Act") was created to enhance cybersecurity protections for New York residents by expanding the state's existing data breach notification requirements. Specifically, the legislation:
- widens the definition of "private information" to include biometric data, a username or email address and a password, or security questions and answers that would permit access to an online account;
- expands the definition of "data breach" to include unauthorized access to private information on a data system, even if such private information is not stolen;
- extends the breach notification requirement to include any person or entity that owns or licenses computerized data that includes private information concerning any New York State resident, even in the absence of a New York business enterprise;
- tightens the notification procedures following a data breach; and
- imposes data security safeguard requirements, including the designation of cybersecurity personnel, sufficient data protection controls, and employee training on cybersecurity practices and procedures.
The "Identity Theft Prevention and Mitigating Services Act" will require credit reporting agencies to provide "reasonable identity theft prevention services [and] identity theft mitigation services" to any customers affected by a data breach involving their social security numbers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.