The governor of New York yesterday signed into law two bills that aim to do more to protect consumers in the event their information is compromised in a data breach and applies to any company that possesses the information of a New York resident, regardless of whether the company conducts business in New York or not.
S.5575B/A.5635, the Stop Hacks and Improve Electronic Data Security Act (SHIELD), will go into effect 240 days from yesterday. A.2374/S.3582, the Identity Theft Prevention and Mitigation Services Act, will go into effect 60 days from yesterday.
The SHIELD Act broadens the type of information that will require an individual be notified if it is ever compromised. Once in effect, biometric information and email addresses along with their corresponding passwords or security questions and answers will be covered under the law, and companies will need to notify individuals if that information is ever compromised. As well, the law expands the definition of a data breach to include unauthorized access to private information, and updates the notification requirements that companies must follow in the event of a breach. That includes any entity or organization with the private information of a New York resident, not just companies that conduct business in New York.
The Identity Theft Prevention and Mitigation Services covers credit reporting agencies that are hacked, much like Equifax was back in 2017. Any credit reporting agency that suffers a breach must provide individuals with five years of identity theft prevention services, and give individuals the right to freeze their credit.