Two years later the impact of Equifax’s massive data breach continues to be felt. As we reported last week, the FTC announced a $700 million settlement with Equifax. Then on Thursday, in reported response to the settlement, New York governor Andrew Cuomo signed two new data privacy bills into law.
Here is a quick run down of the two privacy laws New York passed last week and how they could impact your business:
Senate Bill S3582
The first bill passed into law last week concerns consumer credit reporting agencies. Under the new law, all credit reporting agencies that have experienced a data breach are required to offer effected consumers free identity theft prevention and mitigation services for up to five years. The law additionally gives effected customers the right to freeze their credit at no cost.
The second and by far most impactful of the laws passed is the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). While the focus is simply on breach notification procedures, the law is noticeable for the expanded scope of the regulation and the broadened definitions it introduces.
In short, the new law requires businesses to report any breach of personal information that an organization has. What is notable, however, is that the SHEILD Act doesn’t just apply to businesses operating within New York. Instead, any organization that owns the personal information of New York residents must now comply with the reporting requirements.
What’s more, the law expands the definition of what counts as a data breach. Traditionally, data breaches are understood as an instance where someone actually takes an organization’s data. The SHIELD Act, however, expands this definition to also include instances where the data has simply been accessed by an outside entity. The definition of personal information has also been expanded by the new law to include biometric data and a usernames or email addresses in combination with a password or security question.
In addition to notification requirements, the law requires businesses with the personal information of New York residents to implement “reasonable” security requirements. These include compliance with regulations such as HIPPA and GLBA as well as “reasonable administrative, technical and physical safeguards.”
Lastly, the law lays out a new penalty framework for organizations that fail to properly report data breaches. Under the SHEILD Act, action against businesses will be pursued by the State Attorney General rather than through individual or class action civil suits. The law also increases the maximum penalty for organizations from $150,000 to $250,000.
Signs of Regs to Come
These two new laws solidify the impression that New York is working hard to strengthen its stance on cyber security and data privacy. Just last month state senator Kevin Thomas introduced the New York Privacy Act, considered by some to surpass even the GDPR in the privacy rights it gives consumers. Perhaps the most unique feature the bill proposes is the concept of Information Fiduciaries.
While the Privacy Act has a long way to go before passing into law, the ease with which these two laws were enacted may be a sign of things time.