Attorney General James Applauds Passage Of The Shield Act   

Legislation Strengthens Data Security and Consumer Privacy Protections; Ensures Consumers Receive Notice in the Event of a Data Breach

NEW YORK—Attorney General Letitia James today applauded the passage of The Stop Hacks and Improve Electronic Data Security (SHIELD) Act by the state legislature. The bill updates New York’s laws governing notification requirements, consumer data protection obligations, and broadens the Attorney General’s oversight regarding data breaches impacting New Yorkers. 

“Consumers deserve the peace of mind that their private information is secure,” said Attorney General Letitia James. “That’s why my office has been working hard this session to modernize our outdated laws governing data breaches. This bill is an important step forward providing greater protection for consumer's private information and holding companies accountable for securing that data. I thank the sponsors of this bill, Senator Kevin Thomas and Assemblymember Michael DenDekker for their leadership in ushering this legislation through their respective chambers.”  

Under current law, in the event of a data breach, entities who collect private information must give notice to the Office of the Attorney General, the sole enforcer of New York's data breach law found in General Business Law 899-aa. Given the evolution of how individuals use and disseminate private information, the Office of the Attorney General submitted the SHIELD Act as an agency program bill in order to update the current statute to keep pace.  

“It is critical that our laws keep pace with the rapidly changing world of technology,” said State Senator Kevin Thomas.“I am proud to announce the passage of the SHIELD Act today, as it will allow for increased accountability and diligence in regards to consumer privacy. Now more than ever, it is important that businesses protect the private information of the consumers they serve.” 

“It is our responsibility to protect the privacy of New Yorkers," said Assemblymember Michael DenDekker. "This bill will ensure that businesses across the state dutifully guard consumer data and will enable the Attorney General’s Office to take the appropriate measures quickly and effectively in case of a breach. With the passing of the SHIELD Act, consumers’ private information will be more secure than ever.” 

With this update to its data security laws, New York joins the increasing number of states that require reasonable data security protections, while being careful to avoid excessive costs to small business and without imposing duplicate obligations under federal or state data security regulations. The SHIELD Act broadens the scope of information covered under the notification law and updates the notification requirements. Notably, it also broadens the definition of a data breach to include an unauthorized person gaining access to information. In addition, the bill imposes stronger obligations on businesses handling private data of customers requiring that businesses who collect private information maintain reasonable data security, which is tailored to the size of the business. 

Specifically, among other provisions, this bill:  

  • Expands the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers;  
  • Broadens the definition of a data breach to include unauthorized “access” to private information from the current “acquired” standard;  
  • Applies the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State;  
  • Updates the notification procedures companies and state entities must follow when there has been a breach of private information; and  
  • Creates reasonable data security requirements tailored to the size of a business. 

“The massive data breaches that have impacted more than half of all adult New Yorkers serve as a reminder that any of us could become a victim of identity theft at any time,” said AARP New York State Director Beth Finkel. “AARP applauds Attorney General Letitia James for pushing the proactive SHIELD ACT legislation to protect our personal information from would-be thieves who could literally ruin our lives.” 

"The SHIELD Act will put strong safeguards in place to curb data breaches and identity theft,” said Justin Brookman, Director of Privacy and Technology Policy for Consumer Reports. “This is a big win in the fight to improve data security for the people of New York, and it helps build momentum for reforms nationwide. Consumer Reports commends the New York State legislature for passing the SHIELD Act, and we thank the Attorney General’s office for its work on the bill. In the absence of comprehensive data security protections on the federal level, New York State has taken the initiative to help consumers. These protections are long overdue. We urge the governor to sign the measure, so that New York consumers have enhanced protections against data breaches and identity theft."   

The Stop Hacks and Improve Electronic Data Security was sponsored by Senator Kevin Thomas and Assemblymember Michael DenDekker. The bill now heads to the Governor for his review and consideration.