New York State has become the latest in a long line of states to tweak its laws around data breach notifications.
On July 19, Capital One suffered one of the biggest data breaches ever. On July 25, New York Governor Andrew Cuomo signed new legislation, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The bill passed through the state’s Senate and Assembly extremely quickly after it was first introduced. Under New York’s current data breach law, any company that has private information must disclose a breach to any person whose data may have been effected.
Among the changes the SHIELD Act introduces is the broadened scope of information covered under the current breach notification law, updates to notification requirements, and the expanded definition of a data breach. It also requires reasonable data security, provides standards based on size of a business, and provides protections from liability for certain entities.
The expanded definition of what a breach is now includes the unauthorized access of computerized data that compromises the security, confidentiality, or integrity of private information. This new definition may be leading the way for more states to adopt similar verbiage which would have serious ramifications for companies who are breached.
Data that was not previously subject to the law, including biometric information and email addresses, along with passwords and security questions and answers, will be considered information under the notification law.
Another section that has seen changes is what is considered Personal Information. Below is the added information that is now covered:
- Social Security number;
- Driver’s license number or non-driver identification card number;
- Account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password.
The law also follows breach notification laws in Maryland and extends the notification requirement, applying it to any person or entity with private information of a New York resident, not just those that conduct business in the state.
Under the act, New York State will also revise how it interprets a security breach, essentially broadening the term to include any access of private information. Access alone, without the acquisition of data, doesn’t qualify as a breach currently.
Organizations that own or license computerized data “that includes a New York resident’s private information” will need to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the information. The law recommends organizations look into performing cyber security risk assessments, conducting employee trainings, and vendors who can maintain appropriate safeguards and disposal of private information to satisfy this part of the law.
The SHIELD Act was also signed in alongside several other data protection laws regarding identity theft. Beginning next March, victims of a consumer credit data breach at a credit reporting agency will be able to seek five years of an identity theft service if their Social Security numbers have been compromised. Under the law, the Identity Theft Prevention and Mitigation Services Act, consumers will also be given the right to freeze their credit at no cost.
The act, largely spurred by missteps taken by Equifax’s response to its massive 2017 breach, is specifically catered towards consumer credit reporting agencies. “From the initial Equifax hack to the company’s inadequate response, it is clear that New York State needed to be doing much more to protect consumers from data thieves. In the ever evolving world of emerging technology, it is imperative that safeguards are in place to prevent personal information like social security numbers and banking information from so easily ending up in the hands of hackers,” Senator Leroy Comrie said.
In lieu of a comprehensive federal data privacy law, states continue to introduce and refine their own individual laws as a way to protect the privacy of their residents. Forward looking companies need to be aware of the changing laws around cyber security and data privacy and be prepared to navigate the regulatory rapids.