In addition to strengthening notification laws, Attorney General Schneiderman is proposing incentive programs to ensure businesses comply with laws.
Carlo Allegri / Reuters
New York Attorney General Eric Schneiderman has proposed a set of rules that would overhaul statewide data security laws and strengthen consumer protection.
As New York State rules stand, businesses are required to notify those affected by a security breach if “private information” is compromised. But “private information” according to New York State Technology Law 208 only includes social security numbers, drivers license or non-driver ID numbers, or any account numbers and passwords “which would permit access to an individual's financial account.”
The newly proposed rules, however, would mandate that businesses also notify users affected if a data breach included email addresses and passwords, security questions, or medical or health insurance information.
Schneiderman's announcement comes just days after President Barack Obama announced a legislation proposing a national standard for consumer protection in the face of a data breach. Though President Obama gave few details about the proposed legislation (some expect him to go into more detail at the State of the Union on Tuesday), he did say that companies would be required to notify users of a data breach within 30 days.
Schneiderman also proposes a mandate that every company that stores private information must be required to have reasonable security measures such as employee training, regular tests of controls and procedures, and protection of physical places where information is stored.
Under the bill, Schneiderman proposes that New York State offer an incentive program for businesses to adopt a “model security” standard, as well as a program to incentivize companies to share forensic reports with law enforcement by ensuring that the disclosure would not be considered a breach of privilege or protection. Businesses that meet the model security standard would be granted some form of safe harbor protection that could include an “elimination of liability or burden shifting effect in litigation surrounding a data breach.”
In an initial draft of the announcement of the bill provided by the Attorney General's deputy press secretary Elizabeth Bold, the proposed incentive programs included tax breaks as an option. But ultimately, Bold told BuzzFeed News, that aspect of the incentive program “never got past initial stages of bill drafting.”
This isn't the first time Schneiderman has spoken out on technology issues in New York. In October of last year, Schneiderman faced a slew of criticism and was seen as a new technology opponent after a series of legal battles against companies like Lyft, Uber, and Airbnb. But in more recent battles between government regulators and Uber and Lyft, Schneiderman has come out staunchly in support of the tech companies. As BuzzFeed News reported in November, Schneiderman wrote a letter to the TLC criticizing a proposed set of rules for restricting competition.
There are currently security breach notification laws in 47 states, but the breadth and depth of the laws vary greatly. Schneiderman claims the bill as proposed would be the nation's most comprehensive. “Let's act now to make our state a national model for data privacy and security,” Schneiderman said via a press statement.