New York Attorney General Eric Schneiderman, who has previously attested to the state's rising number of data breaches, is proposing enhanced data security legislation that would expand the definition of “private information.”
On Thursday, the attorney general pushed lawmakers to back a bill that takes a page from California's stringent data security legislation, which considers an email address, combined with a password or security question and answer, private data.
Schneiderman also proposed that New York legislators should expand the definition of “private information” to include medical information, meaning health insurance and biometric data would be protected under the law.
In a press release, the attorney general's office said that Schneiderman would propose the legislation in Albany, in a means to “overhaul New York State's data security law and require new and unprecedented safeguards for the personal data of consumers.”
“Currently, New York State does not have a law directly requiring entities to institute data security measures to protect consumer information,” the release added later. “Moreover, in the event of a data breach or unauthorized disclosure, companies are merely required to notify affected individuals if ‘private information' is compromised—which does not include email addresses and passwords, security questions, medical history and health insurance information, among other categories.”
Last July, Schneiderman released a report on the number of data breaches, and the costs associated with them, in the state, revealing that the number of reported breaches tripled between 2006 and 2013. Over the seven year period, more than 22 million personal records belonging to New Yorkers were exposed in around 5,000 data breaches, the report said. In 2013, the cost to the public and private sectors was an estimated $1.37 billion.
While the expanded definition of “private information” is a major provision Schneiderman hopes to invoke, the attorney general also proposed a “reasonable data security requirement” for entities collection or storing private information. Certifications for compliance, implementation of physical safeguards (to prevent intrusions and improper disposal of sensitive data), risk assessments and employee training, were among the steps organizations could take to meet the requirement.
He also proposed that companies have incentives for sharing forensic data with law enforcement, should a data breach occur.
“One way to accomplish this would be to make sure that the disclosure of a forensic report to a relevant law enforcement agency for the purposes of investigating those responsible for a data breach does not affect any privilege or protection,” Schneiderman's announcement said.