Earlier this month, the New York Attorney General Eric T. Schneiderman announced a legislative proposal that would strengthen protections for private information by expanding the state’s breach notification law to cover e-mails, passwords and health data, require companies to implement data security measures, and notify consumers and employees in the event of a breach. If passed, the Attorney General said that the “new law will be the strongest, most comprehensive in the nation.” In announcing the proposal, the Attorney General cited his 2014 report finding that the number of reported data security breaches in New York more than tripled between 2006 and 2013.
The proposal would be a significant change to the state’s current definition of what constitutes private information (which has not been updated since 2005), which includes a person’s social security number; driver’s license number or non-driver identification card number; or account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. The proposed law would expand the definition of protected personal information to include medical history and health insurance information.
Additionally, and similar to the approach taken in Florida when it rewrote its breach notification law, the proposed bill would require all companies to have reasonable data security measures, including administrative, technical, and physical safeguards and to obtain independent data security certification. As an incentive for adopting strong data security standards, the law would provide companies with some protection from liability in civil lawsuits if they can demonstrate having taken adequate steps to protect private information from being hacked or inadvertently released.
The Attorney General will need sponsors in the New York State legislature to introduce a bill that would advance his agenda, although the New York Assembly has already introduced Bill A10190 which would amend the Empire State’s existing breach notification law to require entities which conduct business in the state, and which own or license computerized data which includes private information to develop, implement, and maintain a comprehensive information security program. However, whether or not either effort is successful, these attempts together with President Obama’s call for a national standard for data breach notification and efforts in other states indicate the heightened attention being given to data privacy and the impact of data breaches.