Post-Equifax settlement, NY updates data breach notification laws

The crows are coming home to roost after Equifax’s 2017 data breach, and over the past week, those crows have lobbed these projectiles:

Fine

The Federal Trade Commission last week announced that Equifax has agreed to pay $675 million – up to possibly $700 million – as part of a settlement over its massive security flub: failing to secure the huge amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.

The settlement includes $300 million paid into a fund for credit monitoring services, for compensation to those who forked over money to Equifax to buy credit or identity monitoring services or who had other out-of-pocket expenses as a result of the breach.

Starting next year, it will also provide affected US consumers with six free credit reports per year for seven years (on top of the one free one they get every year from Equifax and the two other credit reporting agencies, Experian and TransUnion).

Finally, Equifax also agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the Consumer Financial Protection Bureau (CFPB) in civil penalties.

Law

New York passed two laws to beef up its data breach notifications requirements to help shield its citizens from getting Equifax-ified again.

New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act on Thursday. It will go into effect on 21 March 2020. On the same day, he also signed the Identity Theft Prevention and Mitigation Services Act. That one goes into effect on 23 September 2019.

SHIELD expands the scope of information covered by current data breach notification law to include biometric information, plus email addresses and their corresponding passwords or security questions and answers.

Here’s State Senator Kevin Thomas, Chairman of Committee on Consumer Protection and the sponsor of the bill:

It is critical that our laws keep pace with the rapidly changing world of technology. The SHIELD Act raises security standards so that no more New Yorkers are needlessly victimized by data breaches and cyber-attacks.

The bill – New York Senate Bill S5575B/Assembly Bill A5635A – expands the definition of “private information”, i.e., data that, if breached, could trigger a notification requirement.

This is what’s considered “private information” under the new law, according to legal intelligence site JDSupra:

• Personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired;
• Social Security number;
• Driver’s license number or non-driver identification card number;
• Account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
• Biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity;
  OR
• A user name or email address in combination with a password or security question and answer that would permit access to an online account.

That’s an expanded definition of “private information,” but JDSupra points out that it’s not as broad as laws in other states, such as California, Illinois, Oregon, and Rhode Island. In those states, certain health insurance identifiers are included along with medical information.

For anybody processing NY residents’ private info

The law applies to any entities that process NY residents’ information. It increases civil penalties and widens the definition of a data breach to also require breach notifications from “any person or entity with private information of a New York resident, not just to those that conduct business in New York State.”

According to the New York State Senate official website, the law also…

Requires reasonable data security, provides standards tailored to the size of a business, and provides protections from liability for certain entities.

Governor Cuomo:

As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure.

Mandatory free ID theft protection, credit freezes

As far as the second bill goes, the Identity Theft Prevention and Mitigation Services Act, it requires credit reporting agencies that have experienced a breach involving Social Security numbers – we’re looking at you, Equifax – to provide five years of identity theft prevention and mitigation services to affected consumers.

It also gives consumers the right to freeze their credit at no cost. We used to have to pay for credit freezes, up until consumers finally got the right to freeze our credit without having to pay for it in 2018.