On July 25, 2019, New York state passed a substantial expansion of its data security law in the form of two new pieces of legislation: the Identity Theft Prevention and Mitigation Services Act (ITPMS Act) and the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).
The ITPMS Act is less impactful for businesses, but perhaps more useful for consumers. First, it requires credit reporting agencies that experience a breach involving Social Security numbers to give consumers the right to freeze their credit score for five years. Second, it requires the reporting agency to provide five years of credit protection and mitigation services to affected individuals. The legislation also requires the credit reporting agencies to inform consumers of the rights available to them. The bill signing occurred days after the announcement of a settlement by Equifax of the multidistrict consumer class action and FTC enforcement action over its massive 2017 data breach. The New York State Senate specifically cited the Equifax breach as the justification for the legislation.
The SHIELD Act is a more sweeping legislation that amends New York data security law by imposing new and broader security and notification requirements. One of the more significant and notable aspects of the legislation is its nationwide effect. The law expressly regulates all persons and businesses that collect private information on any New York resident whether or not that regulated business is located, incorporated, or registered to do business in New York. Essentially, the legislation governs all businesses with a website that might have a customer, visitor or subscriber located in New York, and that requires a consumer to register to use the site.
On the security front, it requires businesses that are subject to the law to develop and implement reasonable safeguards to protect the security, confidentiality, and integrity of the private information that they collect. The Act specifies the elements of a reasonable data security program and includes specific administrative, technical, and physical standards. The Act does provide a few limitations on its application. Businesses that are in compliance with other specified data security laws like HIPAA, the Graham-Leach-Bliley Act, or NY DFS Reg. 500, are considered in compliance with the SHIELD Act. In addition, small businesses (defined as having fewer than 50 employees, less than $3 million in gross revenue for each of the last three years, or less than $5 million in total assets) will be subjected to a lower standard for reasonable safeguards of consumer data.
On the notification front, the SHIELD Act expands the types of personal and private information that, if exposed, would trigger a required consumer notification, thus bringing more data breaches within the notification requirement. It also expands the definition of a breach that triggers the notification requirement by including unauthorized access to information without requiring the acquisition of the information by the unauthorized person.
Lastly, while the SHIELD Act does not provide a private right of action, it gives the New York Attorney General broad powers to bring an action for violation of the statute whether to enjoin a continuing of the violation, seek damages suffered by the individuals entitled to notification, or assess civil penalties up to $250,000.