New York State is strengthening a law requiring companies that handle consumers' personal data to notify them about any data breaches.
Gov. Andrew Cuomo on Thursday signed legislation that expands the law to cover any company holding personal data belonging to a New Yorker, and not just companies doing business in the state.
The SHIELD (Stop Hacks and Improve Electronic Data Security) Act, which takes effect in 240 days, will also add email addresses and passwords and biometric data to the list of information covered by the law. The measure aims to ensure consumers know if personal data, such as Social Security numbers, are obtained by hackers.
"The stark reality is security breaches are becoming more frequent," the governor said, "and with this legislation New York is taking steps to increase protections for consumers and holding these companies accountable when they mishandle sensitive data."
Cuomo also signed a bill Thursday that requires credit reporting agencies to provide identify theft prevention services to consumers when their data is exposed during a breach.
In signing both new laws, Cuomo noted this week's $19.2 million settlement between the state and Equifax, one of the main credit reporting agencies, for a major data breach in 2017. The settlement with New York is part of a nationwide agreement that could result in Equifax paying up to $700 million in fines and monetary relief to consumers over the breach that affected nearly 150 million people.
"The magnitude of this breach is still unknown, but the company's response was insufficient and it is unacceptable that consumers were left to bear the burden to protect their own identities even though their information was stolen at no fault of their own," Cuomo said.
NPR contributed to this story.