Thu Jan 15, 2015 12:36am
New York Attorney General Eric Schneiderman will propose legislation on Thursday that he says would make the state's data security law the strongest in the country and require "unprecedented safeguards" for personal data.
Schneiderman's proposal seeks to broaden the scope of information that employers and retailers would be responsible to protect and will require stronger technical and physical security measures for protecting the information.
The proposal seeks to expand the definition of what constitutes "private information" to include email addresses and passwords, biometric information and health insurance details.
Companies are currently not required to report a data breach if it is limited to the theft of email addresses and passwords.
"It's long past time we updated our data security laws and expanded protections for consumers. We must also remind ourselves that companies can be victims, and that those who take responsible steps to protect customers should be rewarded," Schneiderman said.
All entities that are required to collect and store private information will need to have reasonable security measures to protect the information.
The proposal will also give businesses incentives to implement robust data-security measures by offering a safe harbor that would provide them some protection from liability in lawsuits if they can show that they took steps to protect private information.
In the event of a data breach, the state should incentivize companies to share forensic reports with law enforcement officials, according to the proposal.
If it becomes a law, New York's requirements would meet California standards in terms of the breadth of information covered, and exceed that state's standards in other ways, according to Matt Mittenthal, a spokesman for Schneiderman.
The announcement comes just as President Obama has proposed to improve cyber security standards, including updating its security breach reporting by standardizing the patchwork of 46 state laws by putting in place a single notice requirement.
A report by Schneiderman in July last year said the number of reported data security breaches in New York more than tripled between 2006 and 2013.
About 22.8 million personal records of New Yorkers have been exposed in nearly 5,000 data breaches during the period, costing the public and private sectors in New York more than $1.37 billion in 2013, according to the report