Jan 15 New York Attorney General Eric
Schneiderman will propose legislation on Thursday that he says
would make the state's data security law the strongest in the
country and require "unprecedented safeguards" for personal
data.
Schneiderman's proposal seeks to broaden the scope of
information that employers and retailers would be responsible to
protect and will require stronger technical and physical
security measures for protecting the information.
The proposal seeks to expand the definition of what
constitutes "private information" to include email addresses and
passwords, biometric information and health insurance details.
Companies are currently not required to report a data breach
if it is limited to the theft of email addresses and passwords.
"It's long past time we updated our data security laws and
expanded protections for consumers. We must also remind
ourselves that companies can be victims, and that those who take
responsible steps to protect customers should be rewarded,"
Schneiderman said.
All entities that are required to collect and store private
information will need to have reasonable security measures to
protect the information.
The proposal will also give businesses incentives to
implement robust data-security measures by offering a safe
harbor that would provide them some protection from liability in
lawsuits if they can show that they took steps to protect
private information.
In the event of a data breach, the state should incentivize
companies to share forensic reports with law enforcement
officials, according to the proposal.
If it becomes a law, New York's requirements would meet
California standards in terms of the breadth of information
covered, and exceed that state's standards in other ways,
according to Matt Mittenthal, a spokesman for Schneiderman.
The announcement comes just as President Obama has proposed
to improve cyber security standards, including updating its
security breach reporting by standardizing the patchwork of 46
state laws by putting in place a single notice requirement.
A report by Schneiderman in July last year said the number
of reported data security breaches in New York more than tripled
between 2006 and 2013.
About 22.8 million personal records of New Yorkers have been
exposed in nearly 5,000 data breaches during the period, costing
the public and private sectors in New York more than $1.37
billion in 2013, according to the report.
