New York Attorney General Eric T. Schneiderman announced Thursday plans to propose legislation to overhaul the state's data security law while requiring new safeguards for the personal data of consumers.
The state currently doesn't have a law directly requiring entities to have data security measures to protect consumer information. When a data breach or unauthorized disclosure occurs, companies are only required to notify affected individuals if "private information" is compromised.
This doesn't include key categories such as email addresses and passwords, security questions, medical history and health insurance information.
The bill would broaden the scope of data that companies are responsible for protecting; require stronger technical and physical security measures for protecting data; and create a safe harbor for companies who meet certain security standards, incentivizing them to adopt tough measures to protect personal data, according to Schneiderman's office.
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers. We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection," he said. "Our new law will be the strongest, most comprehensive in the nation. Lets act now to make our state a national model for data privacy and security."
The bill will seek to do the following:
Expand Definition of Private Information - New York legislators should expand the definition of "private information" to include both the combination of an email address and password and an email address in combination with a security question and answer, as California already has done. Also, the definition of private information should include medical information, including biometric information and health insurance information.
Legislate Reasonable Data Security Requirement - All entities that collect and/or store private information should be required to have reasonable security measures to protect said information. These measures should include:
- Administrative safeguards to assess risks, train employees and maintain safeguards.
- Technical safeguards to identify risks in their respective network, software and information processing and to detect, prevent and respond to attacks.
- Physical safeguards to have special disposal procedures, detection and response to intrusions and protect the physical areas where information is stored.
- Certification - Entities that obtain independent third-party audits and certifications annually showing compliance with New Yorks reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.
Legislate a Safe Harbor to Provide an Incentive for a Heightened Level of Data Security New York needs to incentive businesses to implement the most robust data security. To do so, New York should offer a safe harbor if a company adopts a heightened form of security. To comply, entities would be required to categorize their information systems based on the risk a data breach imposes on the information stored. Once information systems are categorized, a data security plan based on a multitude of factors would be implemented and followed. Once this standard is met, the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.
Protection for Sharing Forensic Data - Finally, in the event of a data breach, New York should incentivize companies to share forensic reports with law enforcement officials. One way to accomplish this would be to make sure that the disclosure of a forensic report to a relevant law enforcement agency for the purposes of investigating those responsible for a data breach does not affect any privilege or protection. This would allow companies to feel comfortable with the free sharing of information while giving authorities a better chance at catching those responsible.
David Zetoony, head of Bryan Cave's global data privacy and security practice, said, "The approach that [the Attorney General's office] is proposing providing a safe harbor from suit for companies that go the extra mile to audit and verify their security practices rewards businesses with the best security practices by removing costly and counter-productive litigation [and] does not penalize smaller businesses that have good security practices but cannot afford the significant cost of annual data security audits and certifications. This is the type of thought leadership needed to improve data security legislation across the country."
According to a report issued by Schneiderman's office in July 2014, the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers were exposed in nearly 5,000 data breaches, which cost the public and private sectors in New York upward of $1.37 billion in 2013 alone.
The report also found that hacking intrusions, where third parties gain unauthorized access to data stored on a computer system, were the leading cause of data security breaches, accounting for roughly 40% of all breaches.