New York Attorney General Eric T. Schneiderman announced that he will propose new legislation aimed at strengthening the state’s data security law by mandating new safeguards for protecting the personal information of consumers, broadening the scope of information that is subject to New York’s existing notification laws and incentivizing companies to meet heightened security standards by creating a safe harbor for compliance.
New York does not currently have a law that requires companies to put specific data security measures in place to protect the private information of consumers. The state’s current breach reporting law only requires that companies notify consumers in a timely manner when a breach has occurred that impacts their personal information.
According to the Attorney General’s announcement, the legislation would:
Expand the definition of private information. Following the California model, the definition of private information would be expanded to include a consumer’s email address and password, an email address combined with a security question and answer, medical information and health insurance information.
Require reasonable data security measures. Any entity that collects and/or stores private consumer information would be required to institute the following safeguards to protect that information:
Administrative: includes risk assessment, employee training and processes to maintain safeguards.
Technical: includes identifying risks within a company’s own network, software and information processing; processes for detecting, responding to and preventing attacks; and systems controls and procedures for testing and monitoring.
Physical: includes safeguards for the proper disposal of private information, intrusion detection and response, and security protection in physical areas where data is stored.
Certification: companies that demonstrate compliance with the reasonable data security requirements via annual independent third-party certification will receive a rebuttable presumption of having reasonable data security for use in litigation.
Institute a safe harbor for compliance. To incentivize businesses to implement a heightened level of data security, the state would offer a safe harbor that could include an elimination of all liability if certain standards are met.
Incentivize sharing of forensic data with law enforcement. To incentivize companies to share forensic details with law enforcement when a data breach occurs, the state would make sure that such disclosures do not affect any privilege or protection.
“With some of the largest-ever breaches occurring in just the last year, it’s long past time we updated our data security laws and expanded protections for consumers,” said Schneiderman. “Our new law will be the strongest, most comprehensive in the nation.”
PIB Law represents national banks, retailers, reinsurers, insurers, mortgage lenders and financial services companies from its offices in New Jersey, New York City, Boston, Chicago, San Antonio and Philadelphia. For more information, contact PIB Law at 908-725-9700.