Fast on the heels of President Obama’s proposal to create a national data breach notification standard, yesterday, New York Attorney General, Eric Schneiderman announced that he will propose legislation that would significantly strengthen New York’s existing data security laws and establish new consumer privacy protections. Citing the “prevalence and increase of data breaches” and the need “to protect consumers and businesses,” AG Schneiderman’s proposal:
- Expands New York’s Definition of Private Information: Current New York law does not include “email addresses and passwords, security questions, medical history and health insurance information,” among other categories, as “private information” that are subject to the breach notification obligation. The proposal would add the combination of an email address and password, and an email address with a security question and answer, as “private information,” similar to the laws passed in California and Florida last year, as well as medical and health insurance information to the state’s breach notification statute.
- Creates New Data Security Requirement: The proposal requires any company that “collects and/or stores” private information to adopt “reasonable security measures” to protect it, including administrative safeguards, such as training employees; technical safeguards that would identify risks to computer networks and software, prevent, detect and respond to attacks, and test and monitor systems; and physical safeguards that would protect the areas where private information is stored and ensure secure data disposal. The proposed legislation also gives any company that obtains annual third party certification showing compliance with these measures, “a rebuttable presumption of having reasonable data security,” in the event of litigation.
- Creates a Safe Harbor for Heightened Security: To incentivize companies “to implement the most robust data security,” it proposes to grant such companies “a safe harbor that could include an elimination of liability [in the face of a data breach] altogether.” In order to obtain the safe harbor designation, companies would be required to, among other things, “categorize their information systems based on the risk a data breach imposes on the information stored” and “attain a certification.” The press release about the proposal does not indicate whether it would be a self-certification or issued by a third-party, like the Attorney General’s office.
- Protects Shared Forensic Reports: The proposal would also incentivize companies to share forensic reports, created following a breach, with law enforcement officials, by keeping such reports privileged and otherwise protected from disclosure.