From March 2020, New York state legislation will require organizations to notify people whose email address was compromised in a data breach together with authentication credentials (password and/or security questions and answers) “in the most expedient time possible and without unreasonable delay,” which in practice means within 30 days.
The new legislation, called the Stop Hacks and Improve Electronic Data Security (SHIELD) Act also covers biometric data. It was inspired by the 2017 Equifax data breach and the EU’s General Data Protection Regulation (GDPR). Governor Andrew Cuomo signed it into law last Thursday.
Read more: New York updates its breach notification law in response to Equifax, GDPR
