New York updates its breach notification law in response to Equifax, GDPR

In the SHIELD Act, New York now has one of the most consumer friendly data protection laws in the country.

Businesses throughout the U.S. will now be required to notify New Yorkers as quickly as possible when their information is compromised in a security incident, under a bill that Gov. Andrew Cuomo signed Thursday.

The consumer-friendly data protection law updates New York’s current rules to cover biometric data, and forces firms to alert consumers when their email address, combined with the corresponding passwords or security questions and answers, are compromised. The state legislature quietly passed the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, in June.

The law, which takes effect March 2020, requires companies to notify individuals “in the most expedient time possible and without unreasonable delay,” a time period that generally means 30 days, state Sen. Kevin Thomas, who re-introduced the SHIELD Act after it failed to pass in 2017, previously told CyberScoop.

If the incident affects more than 500 New York residents, the affected business is required to provide written determination to the state attorney general. Another piece of legislation also requires consumer credit monitoring agencies to offer identity theft prevention services to customers who are made vulnerable because of a breach a that company, a clear reaction to the 2017 Equifax data breach that affected more than 147 million people.


The SHIELD Act also expands the notification requirements to any person or entity holding private information on New York state residents, regardless of their location. Existing law in New York and in other states applies typically only to organizations operating within state borders. In that sense, the SHIELD act borrows from the European Union’s General Data Protection Regulation, a landmark privacy law that requires firms to notify EU regulators about a security incident no matter where they are headquartered within 72 hours.

“I want to capture as many businesses as possible,” Thomas told CyberScoop in May. “To just limit it to people who do business here doesn’t really suffice.”

The law was inspired in part by the breach at Equifax, which U.S. regulators announced this week would settle various investigations for $700 million. Some $175 million of that will be made to states, under the terms of the agreement, including more than $9 million to New York.

Latest Podcasts