Last July, New York State enacted a couple of new and tougher data security laws. The SHIELD Act takes effect on March 21, 2020 and it ups the state standard for the data security. The Identity Theft Prevention and Mitigation Act demands more positive action from credit rating agencies that suffer a data breach involving Social Security numbers.

Here is an excerpt from a report published by Cooley:

The SHIELD Act goes into effect on March 21, 2020. It brings New York in line with other states’ updates to information security and breach notification statutes. The SHIELD Act makes the following key changes to New York’s data breach notification law:

  • Requires “reasonable security.” The most important change to New York law is the SHIELD Act’s requirement that covered entities maintain reasonable administrative, technical, and physical safeguards to protect “private information.”
  • Expands the definition of “private information.” Private information covered by New York’s data breach law will now include biometric information, some account numbers and credit/debit card numbers.
  • Expands the definition of “breach of the security of the system.” While New York previously only required notification when a third party acquired covered information, the SHIELD Act changes the definition of breach to cover unauthorized access to covered information.
  • Expands breach notification requirements. Under the SHIELD Act, any person or entity with a New York resident’s private information must comply with notification obligations, not just parties that “conduct business” in New York.


The Identity Theft Prevention and Mitigating Services Act, also a response to the Equifax breach, requires credit reporting agencies that suffer a breach exposing Social Security numbers to provide identity-theft protection services for five years and identity theft mitigation services, if applicable. The law also guarantees affected consumers the right to a free credit freeze.

In practical terms, the passage of these laws requires companies to update their breach notification and response process for New York State residents. If a company already has a security program in place that satisfies other states’ legal requirements, the company may not need to do much else to ensure compliance at this time. However, as more states roll out new data security requirements, this may be the right time for companies to reevaluate their security practices to ensure compliance with the SHIELD Act and other data security laws.