New York’s Attorney General Eric T. Schneiderman announced on January 15 that he would propose legislation to New York State lawmakers to revise New York’s data security laws and to require new safeguards for personal data of New Yorkers. The legislation to be introduced by Mr. Schneiderman will broaden the scope of information that would require protection, impose stronger technical security measures for protecting information and create a safe harbor for companies who meet the required security standards.
“With some of the largest-ever data breaches occurring in just the last year, it’s long past time we updated our data security laws and expanded protections for consumers. We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection,” said Schneiderman. “Our new law will be the strongest, most comprehensive in the nation. Let’s act now to make our state a national model for data privacy and security.”
The expanded definition of “Private Information” requiring protection would include the combination of an email address and password, and an email address in combination with a security question and answer. Private Information will also include medical information such as biometric information and health insurance information.
The proposed legislation will require such Private Information to be protected by administrative, technical and physical safeguards, similar to the requirements for information governed by the Gramm-Leach-Bliley Act and the Health Information Portability and Accountability Act Security Rules. Entities that obtain independent third-party audits and certifications annually that show compliance with the foregoing requirements would receive a rebuttable presumption of having reasonable data security under the proposed legislation.
The legislation would also provide incentives to businesses to implement data security by offering a safe harbor for adopting “a heightened form” of security. According to the Attorney General, entities would be required to categorize their information systems based on the risk a data breach imposes on the information stored and implement and follow a data security plan based on a multitude of factors. If a company met this standard and obtained certification, it would be granted “the benefit of a safe harbor that could include elimination of liability altogether.”
Finally, the proposed legislation seeks to incentivize companies to share forensic reports to relevant law enforcement agencies by not affecting any legal privilege or protection afforded to the reports by such sharing.
Many of the changes proposed by Mr. Schneiderman stand in contrast to President Obama’s proposed federal data breach notification law that was introduced earlier in the week that would give both the states’ Attorneys General and the FTC enforcement power under the statute. For example, New York’s definition of Private Information would still be narrower than the definition of “sensitive personal information” in the proposed federal statute, which greatly expands the scope of the definition to include, among other things, a credit or debit card account number without any other information to link that number to an individual account holder. In addition, many of the areas addressed by the federal legislation, such as the time period for notification, the type of incident that would trigger notification and the inclusion of non-profit entities within the scope of the statute were not addressed by Mr. Schneiderman in his remarks about the legislation he is proposing in New York.