New York state's data privacy and security protections will be strengthened over the next year as businesses prepare to implement two bills on the topic signed by Gov. Andrew Cuomo on Thursday.

Both bills were inspired in part by the data breach at Equifax in 2017, when the personal information of more than half the adult population in the U.S. was exposed in what's been considered one of the largest digital security events in history.

The first bill, called the Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, will broaden the definition of what's considered a data breach and set new requirements for when consumers should be notified.

The law, importantly, does not allow a private right of action, meaning individuals can't bring civil litigation against companies that don't take the legally prescribed steps to protect their data. Enforcement, instead, will be exclusively handled by the state Attorney General's Office.

New York Attorney General Letitia James was a driving force behind the bill's passage this year, nearly two years after it was first proposed.

“The SHIELD Act is now the law of the land and provides better protections for consumers' private information,” James said. “New Yorkers deserve the peace of mind that companies will be held accountable for securing their information.”

Companies will now have to notify consumers of a data breach when their information is accessed, even if it was just viewed during the event but not obtained. The previous standard only required that consumers be notified when their data was acquired by attackers.

The new law will also expand the notification requirements to companies outside New York, meaning that the statute will have a global reach. Any company, regardless of where they're based, will be required to notify New York consumers when their data has been accessed. The company does not have to have a physical space in New York to be subject to that mandate.

Notice requirements for the scope of information accessed through a data breach will also be changed. Consumers will now have to be notified if attackers access biometric information, like fingerprints, voice prints and other unique characteristics.

The law also mandates a notice to consumers when their email addresses and corresponding passwords, or security questions and answers, are accessed through a data breach. The same will be required when health information protected under HIPAA is accessed.

Consumers can be notified of a breach in the same ways that were previously acceptable under state law. Those include through a written notice, electronic notice, telephone call, posting on the company's website, notifying major statewide media outlets, and emailing a consumer, as long as that email address wasn't part of the data breach.

Notice to consumers will have to include contact information for the company, any telephone numbers or websites of relevant state and federal agencies that provide more information on data security, and a description of what information was accessed.

Companies that don't provide notice as required under the law may be faced with an enforcement action from the Attorney General's Office. The court may award damages to consumers whose data was accessed as the result of such an action. The Attorney General's Office can also seek a civil penalty of at least $5,000 or $20 per instance of failed notification.

Companies could face a civil penalty of up to $250,000 for failing to notify consumers. The previous cap was $150,000.

The Attorney General's Office will only be able to bring such an action within three years after a company's failure to notify a consumer is discovered, or when the company notified consumers but failed to meet the requirements of the law.

Consumers don't have to be notified if their data was exposed unintentionally to someone who's already authorized to access their private information, as long as it's not expected to be misused by that person or cause financial or emotional harm to the user, according to the bill.

Companies will still have to document such an event and keep records of it for five years. If such an incident involves the information of more than 500 residents in New York, the person or company will be required to provide a written determination to the state Attorney General's Office within 10 days of determining whether notification is necessary or not.

Those parts of the bill will take effect in 90 days, which lands in late October.

Companies will also be required to implement new security safeguards over the next eight months that comply with the new law. That part of the bill takes effect in March 2020.

The law prescribes that companies develop, implement and maintain “reasonable” safeguards to protect the security, confidentiality and integrity of private information, including the disposal of data. The “reasonable” standard was used in the law to consider the capacity of small businesses, which may not have the resources to set up expansive security safeguards.

Small businesses are defined in the law as companies with either fewer than 50 employees, less than $3 million in gross annual revenue for the last three fiscal years, or less than $5 million in total year-end assets.

Companies that exceed that standard will have to develop a more robust data security program. There are several requirements for such a program, outlined broadly as administrative, technical and physical safeguards. At least one employee will have to coordinate the security program, for example, which includes assessing the risk of information storage and disposal.

The bill was what's called a “program bill” from the Attorney General's Office, which is when a statewide elected official refers a bill to the Legislature for consideration. It was sponsored by Assemblyman Michael DenDekker, D-Queens, and State Sen. Kevin Thomas, D-Nassau. Both chair their respective chambers' committees on consumer protection.

The second bill is shorter, and relates to credit reporting agencies in particular. The law will require consumer credit reporting agencies to offer identity theft prevention and mitigation services to consumers who've been affected by a security breach of that company's data.

Credit reporting agencies will be required to provide identity theft prevention services for five years under the bill and will be prohibited from charging fees during security freezes on consumer credit reports.

That bill was sponsored by State Sen. Leroy Comrie, D-Queens, and Assemblyman Jeffrey Dinowitz, D-Bronx. It takes effect in two months, according to the legislation.

Cuomo, in a statement, said the legislation is another way for New York to add an extra layer of accountability when it comes to consumer data.

“As technology seeps into practically every aspect of our daily lives, it is increasingly critical that we do everything we can to ensure the information that companies are trusted with is secure,” Cuomo said. “The stark reality is security breaches are becoming more frequent and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data.”

READ MORE: