New York Attorney General Eric Schneiderman, who has previously attested to the state's rising number of data breaches, is proposing enhanced data security legislation that would expand the definition of “private information.”
On Thursday, the attorney general pushed lawmakers to back a bill that takes a page from California's stringent data security legislation, which considers an email address, combined with a password or security question and answer, private data.
Schneiderman also proposed that New York legislators should expand the definition of “private information” to include medical information, meaning health insurance and biometric data would be protected under the law.
In a press release, the attorney general's office said that Schneiderman would propose the legislation in Albany, in a means to “overhaul New York State's data security law and require new and unprecedented safeguards for the personal data of consumers.”
“Currently, New York State does not have a law directly requiring entities to institute data security measures to protect consumer information,” the release added later. “Moreover, in the event of a data breach or unauthorized disclosure, companies are merely required to notify affected individuals if ‘private information' is compromised—which does not include email addresses and passwords, security questions, medical history and health insurance information, among other categories.”
Last July, Schneiderman released a report on the number of data breaches, and the costs associated with them, in the state, revealing that the number of reported breaches tripled between 2006 and 2013. Over the seven year period, more than 22 million personal records belonging to New Yorkers were exposed in around 5,000 data breaches, the report said. In 2013, the cost to the public and private sectors was an estimated $1.37 billion.
While the expanded definition of “private information” is a major provision Schneiderman hopes to invoke, the attorney general also proposed a “reasonable data security requirement” for entities collection or storing private information. Certifications for compliance, implementation of physical safeguards (to prevent intrusions and improper disposal of sensitive data), risk assessments and employee training, were among the steps organizations could take to meet the requirement.
He also proposed that companies have incentives for sharing forensic data with law enforcement, should a data breach occur.
“One way to accomplish this would be to make sure that the disclosure of a forensic report to a relevant law enforcement agency for the purposes of investigating those responsible for a data breach does not affect any privilege or protection,” Schneiderman's announcement said.
Lastly, Schneiderman said that the bill would also incentivize businesses to improve their data security standards by providing a “safe harbor that could include an elimination of liability altogether,” if they obtain certification for a certain level of data security.
Mike Lloyd, CTO at security analytics firm RedSeal, told SCMagazine.com in a Friday interview that the attorney general's proposal includes provisions that would appeal to decision makers at enterprises, whose interests aren't always aligned with those of customers.
“We do have a cybersecurity crisis, and we do need more disclosure,” Lloyd said. “But one of the problems with that is we have been going after companies with a claw, saying we will prosecute you if you don't disclose breaches. What's different now with the president's proposal and the attorney general's proposal, is that there is a benefit in going after you with a carrot and not a stick.”
“We need companies to disclose and they don't want to,” Lloyd added later. “We want them to come clean and we need to give them some assurances.”
Schneiderman's announcement follows President Obama's call earlier this week for federal data breach legislation and law that better protects student data. Obama's speech has already spurred some action in Washington among those hoping to gain bipartisan support for data security legislation.
After the president's proposal, Sen. Bill Nelson, D-Fla., revealed that he was in the final stages of drafting the Data Security and Breach Notification Act of 2015, which would carry a 30-day notification requirement for breached entities nationwide. Nelson plans to reintroduce the bill after similar legislation failed to move forward in 2014.
Under the proposed law, entities would have no more than 30 days to notify consumers of a breach, if it puts them at “reasonable risk” of fraud, identity theft or “unlawful conduct as a result of the breach,” except for certain scenarios – when it is determined that the 30-day timeframe is “not feasible,” or if the FBI or Secret Service informs the organization that notification would “impede criminal investigation or national security.”