New York Attorney General Looks to Strengthen Data Security Laws

New York Attorney General Eric Schneiderman is proposing legislation to strengthen data security laws to protect consumers from having their personal data stolen.

There currently is no law in New York that requires businesses to institute data security measures to protect consumer information. If a data breach occurs, companies only have to notify affected individuals if their "private information" was compromised.

Schneiderman's proposed bill would require business to notify a consumer if their email and passwords as well as security questions and answers were stolen in the event of a data breach or unauthorized disclosure.  The definition of "private information" (for the purpose of notification) would also expand to include data about a consumer's medical information and health insurance. Currently, “private information” only pertains to protecting an individual’s Social Security number, driver’s license and credit card number. California has already implemented a similar rule.

Furthermore, all companies that collect "private information" should have security measures installed to protect this data. Schneiderman said this includes training employees to assess risks and instituting technical safeguards to identify threats within a business’s network and respond to possible attacks. Businesses would have to obtain third-party audits and certifications annually confirming that they are complying with these data security requirements, Schneiderman said.

Schneiderman is also looking to provide businesses that implement robust data security a safe harbor against investigations by the Attorney General and potential consumer liability if a data breach occurs. In order to be part of this safe harbor, entities would be required to categorize their information systems based on the risk a data breach imposes, to develop a more secure internal data security plan. Companies who also share forensic reports with law enforcement officials would receive incentives, according to Schneiderman.

"It's long past time we updated our data security laws and expanded protections for consumers," Schneiderman said in a Thursday press release. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection."  

The number of reported data security breaches in New York more than tripled between 2006 and 2013, Schneiderman revealed in a report last July. During this time period, 22.8 million New Yorkers had their personal records exposed in approximately 5,000 data breaches, Schneiderman said. The report concluded that hacking intrusions were the leading cause of data security breaches, accounting for nearly 40% of all breaches. 

Several major retailers including Target, Home Depot, Michaels, Neiman Marcus, Sally Beauty Queen, P.F. Chang's, Dairy Queen, and Chick-fil-A have recently had security breaches. More than 679 breaches took place in 2014, according to the Identity Theft Resource Center, which is a 25% increase than the previous year.

"The approach that the Attorney General is proposing—providing a safe harbor from suit for companies that go the extra mile to audit and verify their security practices—is innovative, unique, and friendly to business," said David Zetoony, leader of global data and security practice for Bryan Cave. "It rewards businesses with the best security practices by removing costly and counter-productive litigation, but does not penalize smaller businesses that have good security practices, but cannot afford the significant cost of annual, data security audits and certification."

For reprint and licensing requests for this article, click here.
Bank technology Consumer banking
MORE FROM AMERICAN BANKER