New York State Governor Signs Bills Expanding Data Breach Notification Requirements

On July 25, 2019, New York Governor Andrew Cuomo signed two bills into law designed to enhance cybersecurity protections for New York residents. The legislation updates New York's data breach notification law.

The "Stop Hacks and Improve Electronic Data Security Act" (the "SHIELD Act") was created to enhance cybersecurity protections for New York residents by expanding the state's existing data breach notification requirements. Specifically, the legislation:

  • widens the definition of "private information" to include biometric data, a username or email address and a password, or security questions and answers that would permit access to an online account;
  • expands the definition of "data breach" to include unauthorized access to private information on a data system, even if such private information is not stolen;
  • extends the breach notification requirement to include any person or entity that owns or licenses computerized data that includes private information concerning any New York State resident, even in the absence of a New York business enterprise;
  • tightens the notification procedures following a data breach; and
  • imposes data security safeguard requirements, including the designation of cybersecurity personnel, sufficient data protection controls, and employee training on cybersecurity practices and procedures.

The "Identity Theft Prevention and Mitigating Services Act" will require credit reporting agencies to provide "reasonable identity theft prevention services [and] identity theft mitigation services" to any customers affected by a data breach involving their social security numbers.

Commentary

This news item illustrates that:

It also reflects the so-called "Brexitization of Financial Regulation," where numerous different states impose their own rules (not limited to those related to rules related to data) on financial service firms that do business nationally; see, e.g., Massachusetts Securities Division Proposes Fiduciary Conduct Standard.

Regulated firms should be mindful that making a data breach notification under State law may require notifications to other regulators. Thus, for example, CFTC-registered firms are required to notify the National Futures Association if they notify customers or counterparties of a data breach under State of Federal law. See NFA Interpretive Notice 9070 (Information Systems Security Programs).

Premium Content

Available only to Premium subscribers.

 

Tags