-
No amount of diligence on the part of financial institutions will help prevent future data breaches until retailers are subject to the same national data security standards that apply to banks and credit unions
December 19 -
Retail and financial services trade groups have launched a new partnership aimed at improving cybersecurity across both industries.
February 13 -
An American Banker poll finds that only 10% of financial institution executives say reissuing cards is too expensive and inconvenient.
December 27
New York Attorney General Eric Schneiderman is proposing legislation to strengthen data security laws to protect consumers from having their personal data stolen.
There currently is no law in New York that requires businesses to institute data security measures to protect consumer information. If a data breach occurs, companies only have to notify affected individuals if their "private information" was compromised.
Schneiderman's proposed bill would require business to notify a consumer if their email and passwords as well as security questions and answers were stolen in the event of a data breach or unauthorized disclosure. The definition of "private information" (for the purpose of notification) would also expand to include data about a consumer's medical information and health insurance. Currently, private information only pertains to protecting an individuals Social Security number, drivers license and credit card number. California has already implemented a similar rule.
Furthermore, all companies that collect "private information" should have security measures installed to protect this data. Schneiderman said this includes training employees to assess risks and instituting technical safeguards to identify threats within a businesss network and respond to possible attacks. Businesses would have to obtain third-party audits and certifications annually confirming that they are complying with these data security requirements, Schneiderman said.
Schneiderman is also looking to provide businesses that implement robust data security a safe harbor against investigations by the Attorney General and potential consumer liability if a data breach occurs. In order to be part of this safe harbor, entities would be required to categorize their information systems based on the risk a data breach imposes, to develop a more secure internal data security plan. Companies who also share forensic reports with law enforcement officials would receive incentives, according to Schneiderman.
"It's long past time we updated our data security laws and expanded protections for consumers," Schneiderman said in a Thursday press release. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection."
The number of reported data security breaches in New York more than tripled between 2006 and 2013, Schneiderman revealed in a
Several major retailers including
"The approach that the Attorney General is proposingproviding a safe harbor from suit for companies that go the extra mile to audit and verify their security practicesis innovative, unique, and friendly to business," said David Zetoony, leader of global data and security practice for Bryan Cave. "It rewards businesses with the best security practices by removing costly and counter-productive litigation, but does not penalize smaller businesses that have good security practices, but cannot afford the significant cost of annual, data security audits and certification."