N.Y. AG Seeks to Toughen Data SafeguardsPlan Would Require Businesses to Fortify Privacy Measures
New York State Attorney General Eric Schneiderman proposes to update state law to require businesses serving New York consumers to implement safeguards to protect stored personal consumer data, including medical, biometric, health insurance information and more.
See Also: HIPAA Audits: A Revised Game Plan
The proposed legislation would expand the definition of private information to include the combination of a e-mail address and password and an e-mail address in combination with a security question and answer, as California has done. Such a law, if enacted as Schneiderman proposes, would require out-of-state businesses to comply if they serve customers who live in New York.
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers," Schneiderman says in a statement unveiling his proposal. "Our new law will be the strongest, most comprehensive in the nation. Let's act now to make our state a national model for data privacy and security."
The legislative proposal would provide a safe harbor to businesses that comply with the new requirements, meaning that a good-faith effort could shield them from liability actions resulting from a breach. To receive liability protection, businesses must be certified by an approved third-party auditor.
Privacy lawyer David Zetoony characterizes that provision as being truly innovative, noting that it would protect businesses - themselves victims of a crime - that take responsible steps to protect consumers from plaintiffs' class-action suits.
He says such a state law could prevent lawsuits from being filed in other states that purport to represent a national class of consumers. "While suits filed in other jurisdictions on behalf of consumers from other states would not be bound by the New York legislation, judges very well may look at the New York legislation for guidance concerning what is, and is not, by definition reasonable when it comes to security practices," says Zetoony, leader of the global data privacy and security practice at the Bryan Cave law firm in Washington.
What's unclear is whether a national data breach notification law, such as the one proposed by President Obama, would pre-empt the statute proposed by Schneiderman. That's because the language of both legislative proposals have yet to be made public (see Obama's Breach Notification Plan Lacks Specifics). A national breach notification law, if enacted, is expected to pre-empt notification requirements of existing breach notification statutes of 47 states and Washington, D.C., but Schneiderman's proposal goes far beyond notification
In Congress, a Republican majority strongly opposes regulating the IT security of businesses. But in the state of New York, opposition is not as strong, because the state has a Democratic governor, a Democratic majority in the Assembly and a small GOP majority in the Senate. The attorney general's office has had productive discussions with lawmakers in both legislative chambers, a spokesperson for the office says, suggesting bipartisan support. No bill has been introduced yet; the AG's office is in the process of drafting the legislation and lining up sponsors and supporters.
The leader of one business advocacy group, the Partnership for New York City, has endorsed Schneiderman's proposal. "The attorney general's willingness to create a better process for preventing illegal cyber-activities merits support from business and the public at large," says Kathryn Wylde, CEO of the not-for-profit organization that represents hundreds of top corporate, investment and entrepreneurial firms.
An outline of the proposal furnished by Schneiderman's office shows that his legislative plan would include administrative, technical and physical safeguards. Administrative safeguards include assessing risk, training employees and maintaining privacy protections. Technical safeguards involve identifying risks in businesses' respective networks, software and information processes; detecting, preventing and responding to attacks; and regularly testing and monitoring systems controls and procedures. Physical safeguards would include following special procedures to dispose personal information, detect and respond to intrusions and protect the physical areas where information is stored.
Schneiderman also proposes the law should incentivize companies to share forensic reports with law enforcement officials. One way to accomplish this would be to make sure that the disclosure of a forensic report to a law enforcement agency for the purposes of investigating those responsible for a data breach does not affect any privacy privilege or protection. The attorney general says this would encourage companies to share information while giving authorities a better chance at catching those responsible for breaches.