To help its residents, the State of New York has improved its existing data breach law. Governor Andrew Cuomo signed two bills on July 25th:
"The Governor signed the Stop Hacks and Improve Electronic Data Security - or SHIELD - Act (S.5575B/A.5635), which imposes stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach. The Governor also signed legislation (A.2374/S.3582) requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency's system."
The Governor's announcement emphasized the importance of the state's laws keeping pace with rapid advances in technology. To address new technologies, the SHIELD Act will provide stronger protections by:
"1) Broadening the scope of information covered under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers; 2) Updating the notification requirements and procedures that companies and state entities must follow when there has been a breach of private information; 3) Extending the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State; 4) Expanding the definition of a data breach to include unauthorized access to private information; and 5) Creating reasonable data security requirements tailored to the size of a business."
The full text of the SHIELD Act legislation is available here. The SHIELD Act will go into effect on March 21, 2020. The announcement also mentioned Equifax:
"In late July 2017, one of the three main credit reporting agencies, Equifax Inc., experienced a major data breach involving personal information, including social security numbers... the company's response was insufficient and it is unacceptable that consumers were left to bear the burden to protect their own identities even though their information was stolen at no fault of their own. On July 22, 2019, Governor Cuomo, the State Department of Financial Services and State Attorney General James announced a $19.2 million settlement with Equifax over the data breach. As part of that settlement, Equifax agreed to provide New York consumers with credit monitoring services and free annual credit reports, and the company will pay restitution to consumers affected by the breach..."
So, it seems that Equifax's breach and data security failures factored into the new legislation. The announcement also explained the new Identity Theft Prevention and Mitigation Services (A.2374/S.3582) legislation:
This legislation establishes the minimal amount of long-term protections to consumers who are affected by a data breach from a credit reporting agency. It requires credit reporting agency that suffers a breach of information containing consumer social security numbers to provide five-year identity theft prevention services, and if applicable, identity theft mitigation services to affected customers. Additionally, the legislation requires credit reporting agencies to inform consumers on credit freezes of a breach of data involving a social security number, and provides consumers with the right to freeze their credit at no cost. The bill... applies to any breach of the security of a consumer credit reporting agency that occurred no more than three years prior to the effective date of this act."
The A.2374/S.3582 bill will go into effect on September 23, 2019. The retroactive coverage of three years is good as it ensures credit reporting agencies with recent data breaches cannot escape responsibility.
Consumer reporting agencies enjoy a unique position as consumers cannot opt out of having their credit reports covered by Experian, Equifax, and TransUnion. Some people would call that corporate welfare. It would be great if consumers had the right to remove their credit reports from credit reporting agencies that practice poor data security with repeated data breaches. Consumers have that right with retail stores -- you can stop shopping at stores with poor data security and multiple data breaches.
In related news, JD Supra reported about proposed legislation:
"... New York City lawmakers have proposed a bill that would make it unlawful for a mobile app developer or telecommunications carrier to share a customer’s location data without an authorized purpose if the data was collected from the customer’s device within the city. The bill broadly defines the term “share” as making “location data available to another person, whether for a fee or otherwise,” suggesting that selling information is unlawful without an authorized purpose such as customer consent. The bill allows for a private right of action, including penalties for violations of $1,000 per violation, with a maximum penalty of $10,000 per day per person whose location data was unlawfully shared, as well as attorney’s fees."
To learn more, read about new data breach legislation in other states this year.