IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New York Legislature Strengthens Data Breach Policies

The new legislation, known as the SHIELD Act, would broaden the scope of what counts as data, expand the rights of consumers in the event of a breach, and increase penalties for culpable companies.

A new bill recently passed by the New York Legislature would change the state’s approach to data breaches, providing consumers with more transparency while also imposing more stringent penalties on companies for cyberincidents. 

The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, would update the state’s breach notification laws, broadening the definition of what constitutes a breach, as well as expanding the current notification requirements for companies that are the source of the information leak.

As states across the country have sought to adopt consumer privacy legislation, New York legislators have pushed for some of the most comprehensive bills yet. Another recently introduced bill, the New York Privacy Act, has sought to go even further than the California Consumer Privacy Act — giving residents unparalleled access to and control over their own data.  

SHIELD was originally proposed by former Attorney General Eric Schneiderman in 2017, shortly after the Equifax data breach that affected over 145 million consumers. Since then, myriad companies have suffered through similar large-scale breaches, spurring lawmakers to shift regulatory frameworks to fit the new world of hacks and breaches that Americans live in. 

Since its introduction, SHIELD has gone through a number of revisions, but its most current iteration received its first reading in May, made its way through the Legislature throughout June, and now heads to Governor Andrew Cuomo’s desk, where it is expected to be signed into law.   

The legislation expands the legal definition of what counts as data to include biometric data, as well as email addresses and their corresponding passwords and security questions. At the same time, it also expands what counts as a breach — changing the definition from one of acquisition to one of unauthorized access, which can include unauthorized viewing and copying, among other things. 

The legislation also requires that companies implement "reasonable safeguards" to protect consumer data, while also expanding the current breach notification requirement, mandating that any person or organization affected by a breach be notified. Previously, notifications were only required for companies that do business in New York. 

The bill would also broaden the oversight and power of the state attorney general to mitigate the kinds of legal conflicts instigated by large-scale breaches. 

The bill would not give consumers a private right of action — an individual right to sue companies for breaches — which has often been held up by privacy rights activists as an ideal inclusion for legislation. However, it would cede legal authority to the AG, allowing for parens patriae, where punitive action is taken by a central authority on behalf of a collective. 

“Consumers deserve the peace of mind that their private information is secure,” said current Attorney General Letitia James in a statement, lauding the passage of the bill. “That’s why my office has been working hard this session to modernize our outdated laws governing data breaches. This bill is an important step forward providing greater protection for consumer’s private information and holding companies accountable for securing that data.”

The question of whether the legislation goes far enough to protect consumer data depends on who you ask, however. 

While many officials have lauded the new bill, Lee Tien, senior staff attorney for the Electronic Frontier Foundation, said that he felt the expansion of data breach definitions should be considered a basic measure, while adopting parens patriae over private right of action was not a preferred course of action. 

“The history of litigation in this country is full of situations where a lot of different people brought lawsuits because of something a company did that hurt people in many different places,” Tien said, arguing that ceding the power of legal recourse to a public official was an ineffective means of holding companies accountable. 

Tien also said he felt that laws and regulations need to create more clarity about what counts as "data," how to protect that data, and what to do when it is compromised.    

On the whole, many officials have described the legislation as an attempt to adapt to and keep pace with the acceleration of technology, and the many forms of data that come with it.

“Technology is evolving at an ever increasing pace, and government needs to step up to protect New Yorkers’ privacy and personal data,” said Senate Majority Leader Andrea Stewart-Cousins, in a statement associated with the new legislation. “Consumers deserve the peace of mind of knowing that their personal information isn’t being disseminated without their consent.”

Lucas Ropek is a former staff writer for Government Technology.