On January 15, 2015, New York Attorney General Eric Schneiderman announced that he would be proposing legislation to overhaul New York’s data security law and require new and unprecedented safeguards for personal data of consumers. While the proposal has yet to be released, the Attorney General’s press release indicates that the proposal will include a substantive standard for preventing and responding to a data breach. In other words, the proposal would require all entities that collect or store information to take specific steps to ensure reasonable security measures to protect information. If passed, New York will join a select few number of states, including Maryland and Massachusetts, which requires specific action to take to avoid and respond to a data breach.
Under current laws in New York, companies are merely required to notify affected individuals if “private information” is compromised. In other words, a company experiencing a data breach is not specifically required to notify whether a consumer’s email addresses and passwords, security questions, medical history and health insurance information has been compromised.
According to the press release, Attorney General Schneiderman’s bill would broaden the scope of information that companies would be responsible for protecting; require stronger technical and physical security measures for protecting information; and create a safe harbor for companies who meet certain security standards, incentivizing them to adopt tough measures to protect personal data.
“Our new law will be the strongest, most comprehensive in the nation,” said the Attorney General. “Let’s act now to make our state a national model for data privacy and security.”
The January 15, 2015 press release noted that the proposal will include the following recommendations:
• Expand Definition of Private Information- expanding the definition of “private information” to include both the combination of an email address and password, and an email address in combination with a security question and answer. Additionally, the definition of private information should include medical information, including biometric information, and health insurance information.
• Legislate Reasonable Data Security Requirement- All entities that collect and/or store private information should be required to have reasonable security measures to protect said information. These measures should include:
- Administrative safeguards to assess risks, train employees and maintain safeguards.
- Technical safeguards to (i) identify risks in their respective network, software, and information processing, (ii) detect, prevent and respond to attacks and (iii) regularly test and monitor systems controls and procedures.
- Physical safeguards to have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored.
- Certification- Entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.
• Legislate a Safe Harbor to Provide an Incentive for a Heightened Level of Data Security– Incentivizing businesses to implement the most robust data security by offering a safe harbor if a company adopts a heightened form of security. To comply, entities would be required to categorize their information systems based on the risk a data breach imposes on the information stored. Once information systems are categorized, a data security plan based on a multitude of factors would be implemented and followed. Once this standard is met, the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.
• Protection for Sharing Forensic Data- In the event of a data breach, the legislation would incentivize companies to share forensic reports with law enforcement officials. This would allow companies to feel comfortable with the free sharing of information while giving authorities a better chance at catching those responsible.
Perhaps the most notable portion of the proposed legislation is the “Safe Harbor” provision that would essentially provide immunity to those companies that adhere to New York’s heightened standard. The “Safe Harbor” provision is an innovative approach that could potentially incentivize companies to adopt stronger safeguards and more rigorous control processes to avoid costly Attorney General investigations in the event of a data breach.
AG Schneiderman joins a growing chorus of Attorneys General calling for stricter data breach laws. In December 2014, Oregon Attorney General Ellen Rosenblum proposed tougher requirements for companies to disclose data breaches that expose consumers’ personal information. In October 2014, California Attorney General Kamala Harris released a report outlining the growing threat of data breaches on California residents. That report included a number of recommendations to California lawmakers such as revising the breach notice law in order to strengthen the consumer notification procedure; clarifying the roles and responsibilities of data owners and data maintainers; and requiring a final breach report to the Attorney General’s Office.
Enhanced Data breach laws are also gaining traction at the federal level. It has been widely reported that President Obama will propose a federal data breach law during his State of the Union address on January 20, 2015.
For continued updates on this and other cyber security news, follow the Consumer Financial Protection Law Monitor.