Bloomberg Law
July 25, 2019, 5:19 PM

New York State Expands Data Breach Notification Laws

Keshia Clukey
Keshia Clukey

New York State will require businesses to put in place data security programs and consumer credit reporting agencies to boost protection services under measures signed by Gov. Andrew M. Cuomo.

Cuomo (D) signed a bill (A.5635B/S.5575B) updating the state’s privacy law by expanding the definition of personal information and adding new requirements and timelines for data breach notices. It takes effect in 240 days.

He also signed a bill (A.2374/S.3582) requiring credit agencies to offer lifetime identity theft prevention and, if applicable, mitigation services if a data breach exposes consumers’ Social Security numbers. It takes effect in 60 days.

“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Cuomo said in a news release.

The bills’ signings followed Equifax Inc.’s July 22 settlement with the Federal Trade Commission. The company agreed to pay up to $700 million to resolve state and federal investigations into a 2017 hack in which the sensitive information of more than 140 million people was compromised.

The privacy law update applies to any person or entity with access to private information of a New York state resident, regardless of whether they conduct business in the state. It expands the definition of private information to include biometric data, email addresses, and corresponding passwords or security questions and answers. The law also broadens the definition of data breach to include unauthorized “access” to private information.

Businesses that collect private information will have to maintain “reasonable” data security and implement “reasonable” administrative safeguards such as employee training, according to the measure.

Meanwhile, consumer credit reporting agencies can no longer charge fees enacting or lifting freezes on consumer credit reports if they were part of an data breach containing Social Security numbers.

The agencies also must tell consumers about credit freezes of a breach involving Social Security numbers and allow them to freeze their credit at no cost. The law applies to any breach of security of a consumer credit reporting agency that occurred in the last three years.

To contact the reporter on this story: Keshia Clukey in Albany, N.Y. at

To contact the editors responsible for this story: Rebecca Baker at; Keith Perine at