Securing The Empire State: NYAG Proposes Tougher Data Breach Legislation

In the wake of the White House’s data breach proposal, New York Attorney General Eric Schneiderman announced his plan to propose new legislation to enhance New York’s data security regime. The NYAG’s January 15th press release stated that the updated law would be “the strongest, most comprehensive in the nation” and indicated that the legislation — a draft of which is yet to be released as of this publication date — will include the following key provisions.

First, the NYAG’s proposal includes in the definition of “private information” both “the combination of an email address and password, and an email address in combination with a security question and answer.” Further, private information would also encompass “medical information, including biometric information, and health insurance information.” This updated definition would be more expansive than current New York law. However, the new definition may still turn out to be narrower than the definition of “sensitive personally identifiable information” in the White House’s proposal, which among other things includes “a unique account identifier, including a financial account number or credit or debit card number, electronic identification number, user name, or routing code” without additional information connecting that data to an individual (e.g., a security code, access code, or password as required under current New York law).

In addition, the proposal would require “[a]ll entities that collect and/or store private information … to have reasonable security measures to protect said information.” These measures include administrative safeguards to “assess risks, train employees and maintain safeguards;” technical safeguards to “(i) identify risks in [entities’] respective network, software, and information processing, (ii) detect, prevent and respond to attacks and (iii) regularly test and monitor systems controls and procedures;” and physical safeguards to “have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored.” The proposal also contemplates a certification procedure whereby companies that “obtain independent third–party audits and certifications annually showing compliance with New York’s reasonable data security requirements” would receive “a rebuttable presumption of having reasonable data security.”

Further, the NYAG proposes a safe harbor for companies with robust data security systems. To be eligible for the safe harbor, companies “would be required to categorize their information systems based on the risk a data breach imposes on the information stored” and, when the systems are categorized appropriately, “a data security plan based on a multitude of factors would be implemented and followed.” If this standard is achieved, companies would be required to get a certification and “upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.” Finally, the NYAG’s proposal would encourage companies to share forensic reports related to data breaches with law enforcement personnel by ensuring that “the disclosure of a forensic report to a relevant law enforcement agency for the purposes of investigating those responsible for a data breach does not affect any privilege or protection.”

With respect to the planned legislative proposal, the NYAG stated that “[w]ith some of the largest–ever data breaches occurring in just the last year, it’s long past time we updated our data security laws and expanded protections for consumers. We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection.” The media has reported that the NYAG anticipates attracting both Republican and Democratic sponsors for the proposed legislation.

Reporter, Kyle Sheahen, New York, +1 212 556 2234, [email protected]