CyberScout

New York state strengthens breach notification requirements

New York SHIELD Act

The State of New York has passed a revision to its existing laws governing data breach notification requirements and consumer data protection.

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act updates security laws to broaden the definition of data breaches and create higher standards for businesses handling the personal data of customers. The legislation was introduced in 2017 by then-state Attorney General Eric Schneiderman in the wake of the Equifax data breach that compromised the personal information of 8 million New Yorkers.

Provisions of the bill include:

  • Including biometric information, email addresses, passwords, and security questions to the criteria of a data breach.
  • Expanding the definition of a data breach to include unauthorized access to information rather than acquired access.
  • Applying data breach notification requirements to out-of-state businesses with access to New York residents.
  • Creating data security requirements tailored to the size of businesses.

“In the absence of comprehensive data security protections on the federal level, New York State has taken the initiative to help consumers. These protections are long overdue,” said Consumer Reports Directory of Privacy and Technology Justin Brookman in a press release.

The SHIELD Act is expected to be signed into law by Governor Andrew Cuomo.

The bill can be found here.