New York State Attorney General Letitia James in April. New York State Attorney General Letitia James in April. Photo: Diego M. Radzinschi/ALM

State lawmakers have passed legislation that would “modernize” and update consumer data protections and expand New York Attorney General Letitia James' oversight of data breaches affecting New Yorkers, according to a news release issued by James “applauding” the act's passage.

Called the “Stop Hacks and Improve Electronic Data Security Act,” or SHIELD Act, the bill now moves to Gov. Andrew Cuomo's desk for his decision on whether to sign it into law.

The legislation, first introduced by the Attorney General's Office in 2017 after the Equifax Inc. data breach compromised some 145.5 million Americans' personal information, includes a number of measures aimed at enhancing protections for New Yorkers, including applying the state's data breach notification requirement to any person or entity with a state resident's private information, instead of applying it only to those conducting business in the state, James' office said.

In addition, the act broadens the definition of a data breach to include unauthorized persons who gain access to private information, rather than using the current “acquired standard,” the news release said. The legislation also expands the scope of information subject to the state's notification law to include biometric information, email addresses and corresponding passwords, or security questions and answers.

“[M]y office has been working hard this session to modernize our outdated laws governing data breaches,” James said in the news release. “This bill is an important step forward providing greater protection for consumer's private information and holding companies accountable for securing that data.”

The news release noted that under current law, entities that collect private information must give notice to the Attorney General's Office when there is a data breach, as the office is the lone enforcer of the state's data breach law found in General Business Law 899-aa.

James' office then said that “given the evolution of how individuals use and disseminate private information, the Office of the Attorney General submitted the SHIELD Act as an agency program bill in order to update the current statute to keep pace.”

The act was first introduced under former Attorney General Eric Schneiderman following the massive Equifax breach, which reportedly compromised the personal information of more than 8 million New Yorkers.

James' office further noted that if the legislation is made into law, New York would join an “increasing number of states that require reasonable data security protections, while being careful to avoid excessive costs to small business and without imposing duplicate obligations under federal or state data security regulations.”

The act's data security requirements are “tailored to the size of a business,” the release said.

“The SHIELD Act will put strong safeguards in place to curb data breaches and identity theft,” said Justin Brookman, director of privacy and technology policy for Consumer Reports, in James' news release.

He added, “This is a big win in the fight to improve data security for the people of New York, and it helps build momentum for reforms nationwide.”

The legislative sponsors for the bill were state Sen. Kevin Thomas and Assemblymen Michael DenDekke, the news release said.