Legislative Alert: New York Expands Data Breach Obligations for Credit Reporting Agencies
New York Governor Andrew Cuomo has signed into law Senate Bill S3582, which further expands obligations owed to consumers when a data security breach affects a credit reporting agency. Specifically, upon the “breach of the security of the system” of a consumer credit reporting agency that includes a consumer’s Social Security number, that credit reporting agency must offer identity theft prevention services and, if applicable, identity theft mitigation services, for a period not to exceed five years, at no cost to the affected consumers. Additionally, the credit reporting agency must inform consumers how to request a security freeze.
What constitutes a “breach of the security of the system” remains the same as defined in New York’s existing data breach statute NY Gen Bus Law §899-aa. An exception to the requirement to provide the enumerated services to consumers in the event of a breach exists for incidents in which, after appropriate investigation, the agency reasonably determines the breach of security is unlikely to result in harm to the consumers whose information was compromised. In these cases, the agency is not required to provide identity theft prevention or mitigation services.
The law will take effect September 23, 2019, and applies to any security breach of a credit reporting agency that occurred no more than three years prior to the effective date.
This bill responds to the 2017 Equifax security breach, which compromised the personal information, including Social Security numbers, of nearly 150 million consumers. On July 22, 2019, Governor Cuomo, the State Department of Financial Services, and State Attorney General Letitia James announced a $19.2 million settlement with Equifax over the data breach. One provision of the settlement requires Equifax to provide affected New York consumers with credit monitoring services and free annual credit reports, in addition to restitution to consumers adversely impacted by the breach.
In a press release, Governor Cuomo acknowledged security breaches are becoming more frequent and this bill, along with the SHIELD Act, provides increased protections available for consumers and holds companies accountable for failing to protect adequately sensitive consumer information.