United States: New York Enacts New Security And Identity Theft Protection Laws In Response To Recent Data Breaches

Last Updated: August 7 2019
Article by Kimberly J. Gold and Robert Kantrowitz

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (S.5575B/A.5635), which significantly increases obligations for businesses handling private data to notify affected consumers upon experiencing a security breach. Additionally, Governor Cuomo signed the Identity Theft Prevention and Mitigating Services Act (A.2374/S.3582), requiring consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who have been affected by a security breach of the agency's system.

In an official press release announcing his signature on both pieces of legislation, the Governor emphasized the significance of implementing such laws to protect New Yorkers against security breaches. Citing a recent significant data breach, Cuomo noted that "[a]s technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure . . . [t]he stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data."


The SHIELD Act enhances the notification requirements in New York by, in part, broadening the information and entities covered by the law, and imposing security requirements on businesses and individuals, beyond those solely operating in New York. Specifically, the SHIELD Act expands the scope of the state's protection of personal information in three significant ways:

  • The law applies broadly to any person or business that owns or licenses computerized data that includes private information of a New York state resident, regardless of whether the person or business conducts business in the state. New York's current breach notification law applies only to persons and entities conducting business in the state.
  • The law broadens the definition of "data breach" to include unauthorized "access" to private information. Only an "acquired" standard applies under the current breach notification law (NYGBL section 899-AA). For businesses or individuals subject to the SHIELD Act, a breach requiring notification is triggered when a New York resident's private information was, or is reasonably believed to have been, accessed or acquired without authorization through a breach of the security system in place. Access may include viewing, copying, or downloading private information.
  • While the current definition of "personal information" consists of "any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person," the SHIELD Act, consistent with recent amendments to other states' breach notification laws, expands the definition of "private information" to include financial account numbers that can be used to access an account without additional identifying information, biometric information (e.g., fingerprint, voice print, retina, or iris image), and user names or email addresses, in combination with passwords or security question answers that would allow access to online accounts.

Other than expanding New York's reach, the SHIELD Act updates the notification procedures for companies and state entities in the event of a breach of private information, including coordination with the breach notification provisions of other federal and New York laws and regulations. Even though the law does not require further notification to individuals if entities are already regulated by and providing notice in accordance with other laws and regulations (e.g., HIPAA, NY DFS Reg 500), notice still must be given to the state attorney general, the New York Department of State, and the state police.

The SHIELD Act also imposes "reasonable" security requirements on persons and businesses that collect the private information of a New York resident, including the development, implementation, and maintenance of "reasonable" administrative, technical, and physical safeguards. Businesses that are already in compliance with laws like HIPAA and the GLBA are deemed compliant with the applicable sections of the legislation (including breach notification provisions). Specific requirements depend on the size and nature of a business and the sensitivity of the information collected. The law provides examples of measures it deems as reasonable, such as personnel training, careful selection of vendors capable of maintaining appropriate safeguards and implementing contractual obligations for such vendors, and proper disposal of private information. Under the SHIELD Act, New York joins many states requiring persons and entities to implement reasonable data security protections based on business size, as well as those states with data breach notification requirements extending to companies that do not do business in the state.

Regarding enforcement, the SHIELD Act extends the time period in which the New York attorney general may bring an action against a business for SHIELD Act violations. Under the current breach notification law, the action must be brought within two years from "the date of the act complained of or the date of discovery of such act," but the updated statute of limitations is three years from either (i) the date on which the attorney general became aware of the violation, or (ii) the date of notice sent to the attorney general. Note that the law adds an exclusion from time limits where the entity took steps to hide a breach.

Unlike the California Consumer Privacy Act, the SHIELD Act does not authorize a private right of action, and in turn class action litigation is not available. Instead, the attorney general may bring an action to enjoin violations of the law and obtain civil penalties. For data breach notification violations that are not reckless or knowing, the court may award damages for actual costs or losses incurred by a person entitled to notice. For knowing and reckless violations, the court may impose a penalty equal to the greater of $5,000 dollars or up to $20 per instance with a maximum of $250,000. For reasonable safeguard requirement violations, the court may impose a penalty of not more than $5,000 per violation.

The notification section of the SHEILD Act, which amends NYGBL section 899-AA, will be effective October 23, 2019. The data security portion will be effective March 21, 2020 as NYGBL section 899-BB.

Identity Theft Prevention and Mitigating Services Act

Governor Cuomo also signed into law the Identity Theft Prevention and Mitigating Services Act, which establishes the minimum amount of long-term protections credit reporting agencies must give to consumers who are affected by a data breach. It specifically requires credit reporting agencies that experience a breach of information containing consumer social security numbers to provide five years of identity theft prevention and mitigation services, and gives consumers the right to freeze their credit for free. This legislation also includes a lookback period, applying to any breach of the security of a consumer credit reporting agency that occurred no more than three years prior to the effective date of the law.

The Identity Theft Prevention and Mitigating Services Act will be effective September 23, 2019 by amending NYGBL section 380-T.

Impact on organizations

The enactment of the above laws demonstrates how states throughout the country are taking note of the increasing frequency and severity of significant data breaches and are making a point to seriously address the security of their residents' personal information. New York's SHIELD Act has far-reaching effects, and thus organizations of various sizes and locations that may have access to the private information of New York residents should review and assess their privacy and security policies and procedures (particularly with regard to data breach prevention and incident response) to ensure they are compliant with New York's developing privacy laws.

However, tailoring a compliance program to New York's requirements may not be sufficient. Similar laws in other states may, in certain respects, have even broader definitions of "private information" or the equivalent term (e.g., Illinois). With this in mind, it is important for organizations to grasp that a "one size fits all" approach may not satisfy the varying requirements of different states' current and proposed privacy legislation. If organizations intend on operating and/or accessing the data of residents in all 50 states (as well as U.S. territories), they should take a nimble approach to compliance with each state's requirements and maintain the most robust security procedures to match the strictest requirements . . . as we patiently wait to see if a federal privacy and security law is ever passed.

This article is presented for informational purposes only and is not intended to constitute legal advice.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions