New York’s cyber just got more secure
ALBANY — Companies will have to be more forthcoming with New Yorkers about cyberattacks that jeopardize private data under a pair of new laws signed Thursday by Gov. Cuomo.
The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, updates New York’s laws concerning notification requirements and consumer data protection obligations and broadens the state attorney general’s oversight of regarding data breaches.
The SHIELD Act “provides better protections for consumers’ private information,” Attorney General Letitia James said. “New Yorkers deserve the peace of mind that companies will be held accountable for securing their information.”
The law, inspired by the massive breach of credit-rating company Equifax, expands the definition of data to include biometric data, as well as email addresses, passwords and security questions.
James announced earlier this week that Equifax agreed to pay up to $700 million to resolve federal and state investigations into the 2017 hack that compromised the sensitive information of more than 140 million people.
Instead of allowing consumers to seek redress through civil litigation, the law grants James’ office greater enforcement power and ups possible civil penalties companies can face from $150,000 to $250,000 for failing to notify consumers, which would then be awarded as damages to New Yorkers whose data was compromised.
The new law also widens the parameters of what counts as a breach, requiring companies notify consumers when any of their information is accessed, as opposed to being acquired.
It also requires companies to implement “reasonable safeguards” to protect consumer data.