Gov. Cuomo approves the SHIELD Act to protect New Yorkers against data breaches

The Shield Act

Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security or SHIELD Act to protect New Yorkers against data breaches.

In 2017, former New York Attorney General Eric Schneiderman introduced the SHIELD Act as a program bill in response to the Equifax massive data breach.

Gov. Cuomo’s decision to approve the legislation comes after Equifax agreed to pay $700 million to settle a nationwide complaint against it in connection with the massive data breach in 2017.  The settlement includes a restitution fund of up to $425 million for consumers.

The New York State Department of Financial Services and State Attorney General James reached a $19.2 million settlement with Equifax over the data breach.

In a statement, the Governor said, “As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure.”

Gov. Andrew Cuomo

“The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data,” added Gov. Cuomo.

On the other hand, Attorney General Letitia James commented, “The SHIELD Act is now the law of the land and provides better protections for consumers’ private information. New Yorkers deserve the peace of mind that companies will be held accountable for securing their information.”

New York State’s SHIELD Act

The SHIELD Act strengthens the state’s current breach notification law. It broadens the scope of information cover under the notification law to include biometric information and email addresses with their corresponding passwords or security questions and answers.

Additionally, it expands the definition of data breach to include unauthorized access to private information and creates reasonable data security requirements based on the size of a business.

Furthermore, the SHIELD Act updates the notification requirements and procedures every company and state agency must follow when a data breach occurs.

Moreover, it extends the notification requirement to any person or entity with private information of a New York resident, not just those who conduct business in New York State.