Two new privacy protection laws were signed into law by New York Governor Andrew Cuomo on July 25, 2019. (NY State Law S.5575B/A.5635 – or SHIELD Act – “Imposes Stronger Obligations on Businesses Handling Private Customer Data to Provide Proper Notification of Security Breaches.”). The law takes effect 240 days from the date of signing which was July 25, 2019, giving businesses until March 22, 2019, to implement.
The second law (A.2374/S.3582 “Requires Consumer Credit Reporting Agencies to Offer Identity Theft Prevention and Mitigation Services to Consumers Affected by a Security Breach.”) takes effect 60 days from July 25, 2019 (September 23, 2019) and applies to breaches within three years prior to the effective date.
The laws follow a trend of requiring more accountability, greater specificity of action from all companies and organizations that collect and process personal information. What started in Europe as the General Data Protection Regulation (GDPR) is now being emulated in the United States in response to the most recent breaches. The most notorious of these was the Equifax breach of consumer credit information. It is very unlikely it will stop there. The U.S. government and other states will follow. The trend will continue establishing accountability at the most senior levels of business organizations.