On July 25, 2019, New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The law amends the existing data breach notification law and adds new cybersecurity requirements. The SHIELD Act takes effect in March 2020.

The Governor also signed into law the Identity Theft Prevention and Mitigation Services Act (ITPMSA). The ITPMSA requires that credit reporting agencies suffering a breach involving Social Security numbers must provide five years of identity theft prevention and mitigation services to affected consumers. The ITPMSA takes effect in September 2019.

Changes to New York’s Data Breach Notification Law

The SHIELD Act makes several changes to the existing data breach notification law by imposing more stringent obligations on businesses handling private data of customers including:

• Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers;
• Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information;
• Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State;
• Expanding the definition of a data breach to include unauthorized access to private information; and
• Creating reasonable data security requirements tailored to the size of a business.

If you need assistance developing and implementing a data privacy and cybersecurity compliance program that is sufficient to satisfy these new requirements, please contact us.