A.G. Schneiderman Proposes Bill To Strengthen Data Security Laws, Protect Consumers From Growing Threat Of Data Breaches
New Legislation Would Impose Data Security Standards To Protect Personal Information; Broaden Scope Of Information Subject To Existing Notification Laws; And Encourage Companies To Meet Highest Standards For Data Protection
Schneiderman: It’s Long Past Time We Updated Our Data Security Laws And Expanded Protections For Consumers
NEW YORK—Attorney General Eric T. Schneiderman announced today that he would propose legislation in Albany to overhaul New York State’s data security law and require new and unprecedented safeguards for the personal data of consumers. Currently, New York State does not have a law directly requiring entities to institute data security measures to protect consumer information. Moreover, in the event of a data breach or unauthorized disclosure, companies are merely required to notify affected individuals if “private information” is compromised—which does not include email addresses and passwords, security questions, medical history and health insurance information, among other categories. Attorney General Schneiderman’s bill would broaden the scope of information that companies would be responsible for protecting; require stronger technical and physical security measures for protecting information; and create a safe harbor for companies who meet certain security standards, incentivizing them to adopt tough measures to protect personal data.
“With some of the largest-ever data breaches occurring in just the last year, it’s long past time we updated our data security laws and expanded protections for consumers. We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection,” saidAttorney General Schneiderman. “Our new law will be the strongest, most comprehensive in the nation. Let’s act now to make our state a national model for data privacy and security.”
“Employers and consumers are equal victims when there is a breach of cyber security,” said Kathryn Wylde, President & CEO of the Partnership for New York City. “The Attorney General’s willingness to create a better process for preventing illegal cyber activities merits support from business and the public at large.”
David Zetoony, leader of Bryan Cave's global data privacy and security practice,said, "The approach that the Attorney General is proposing – providing a safe harbor from suit for companies that go the extra mile to audit and verify their security practices – is innovative, unique, and friendly to business. It rewards businesses with the best security practices by removing costly and counter-productive litigation, but does not penalize smaller businesses that have good security practices, but cannot afford the significant cost of annual data security audits and certifications. This is the type of thought leadership needed to improve data security legislation across the country."
Alan Raul, partner and global coordinator of Sidley Austin LLP’s Privacy, Data Security and Information Law Practice, said, "The Attorney General’s proposed bill would provide companies that commit to applying heightened data security standards a safe harbor against investigations by the Attorney General and potentially consumer liability. This is a creative approach to incentivize companies to adopt stronger safeguards and more rigorous control processes like those of the NIST Cybersecurity Framework. If New York enacts an effective safe harbor, it could be a very positive development to encourage uptake of substantively superior security. This would be a far cry better than merely perpetuating the current 'blame the victim' approach that has done little to prevent data breaches or promote better cybersecurity. Trading higher standards for a safe harbor could even be a productive model for the federal government and other states."
Given the prevalence and increase of data breaches over the past several years, it is clear that New York – and the United States as a whole – is in need of progressive legislation to protect consumers and businesses. According to a report issued by Attorney General Schneiderman in July, 2014, the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers were exposed in nearly 5,000 data breaches, which cost the public and private sectors in New York upward of $1.37 billion in 2013 alone. In addition, the report found that hacking intrusions – in which third parties gain unauthorized access to data stored on a computer system – were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches.
In the face of this growing threat, the Attorney General’s bill seeks to do the following:
- Expand Definition of Private Information- New York legislators should expand the definition of “private information” to include both the combination of an email address and password, and an email address in combination with a security question and answer, as California already has done. Additionally, the definition of private information should include medical information, including biometric information, and health insurance information.
- Legislate Reasonable Data Security Requirement- All entities that collect and/or store private information should be required to have reasonable security measures to protect said information. These measures should include:
- Administrative safeguardsto assess risks, train employees and maintain safeguards.
- Technical safeguardsto (i) identify risks in their respective network, software, and information processing, (ii) detect, prevent and respond to attacks and (iii) regularly test and monitor systems controls and procedures.
- Physical safeguardsto have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored.
- Certification- Entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.
- Legislate a Safe Harbor to Provide an Incentive for a Heightened Level of Data Security– New York needs to incentive businesses to implement the most robust data security. To do so, New York should offer a safe harbor if a company adopts a heightened form of security. To comply, entities would be required to categorize their information systems based on the risk a data breach imposes on the information stored. Once information systems are categorized, a data security plan based on a multitude of factors would be implemented and followed. Once this standard is met, the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.
- Protection for Sharing Forensic Data- Finally, in the event of a data breach, New York should incentivize companies to share forensic reports with law enforcement officials. One way to accomplish this would be to make sure that the disclosure of a forensic report to a relevant law enforcement agency for the purposes of investigating those responsible for a data breach does not affect any privilege or protection. This would allow companies to feel comfortable with the free sharing of information while giving authorities a better chance at catching those responsible.
Despite the risks posed by data security breaches, individuals and organizations can take practical steps to better guard themselves from threats. While it may be impossible to completely prevent data loss, organizations that implement data security plans can greatly reduce the harm caused by a data security breach. In addition, individuals can remain vigilant and take action to protect themselves against breaches. Tips can be found on the Attorney General’s website here.