There is no shortage of data-privacy and security laws in the United States. By our count, there are now about 300 state and federal statutes. They include breach-notification laws, data-disposal laws, data-safeguard laws, payment card information-protection laws … the list goes on and on. Quantity does not, unfortunately, always translate into quality. Most legislators and regulators have displayed relatively little creative thinking and pass largely redundant statutes that often confuse the business community rather than facilitate better practices. A distinct exception was a legislative proposal from the New York Attorney General’s Office last year that would have created a new framework for state data security regulation benefiting consumers, the business community, and regulators. We asked Kathleen McGee, Chief of the Bureau of Internet and Technology within the Office of the Attorney General of the State of New York, and the architect of the proposal, to explain the process by which that proposal was created. Please note that the views and opinions expressed are those of the author and do not necessarily reflect the official policy or position of Bryan Cave.

– David Zetoony

Developing a Better Approach – The Benefits of Public–Private Collaborations
By Kathleen McGee, New York State Attorney General’s Office

Public–private collaborations and regulation are not commonly perceived as the norm. But, in the New York Attorney General’s approach to addressing the data breach crisis, public-private collaboration was considered crucial to successful regulation.

Under New York State General Business Law section 899-aa, anyone who maintains private information of New Yorkers and subsequently experienced a breach of that information is required to notify the Office of the New York Attorney General, as well as two other state agencies. And in 2014, in the wake of some of the largest mega-breaches to date, NYAG undertook an analysis of all such data breach notifications to our office (the report may be found on our website at http://www.ag.ny.gov/pdfs/data_breach_report071414.pdf).

Our analysis yielded some interesting results. While breaches due to third-party intrusions were on the rise, so too were breaches resulting from negligence or other internal failures within a company. In other words, companies themselves were reporting that they were increasingly unable to protect the private information they maintained from their own internal failures. Confronted with this information, we asked ourselves: what about the current state of data security was working, what was failing, and what could NYAG do to strengthen data security for New Yorkers and the companies who did business in New York?

We first turned to an analysis of our existing state law and other data breach security laws across the country. We knew that many of the companies servicing New Yorkers operated nationally and therefore had to conform to the strictest laws of the land, even if those weren’t in New York. New York’s law was clearly not the most demanding – that honor went to states like California and Massachusetts, who had set the highest standards for reporting and encryption, for example. Nor was New York’s law prescriptive, like Oregon’s, which established reasonable guideposts any company could follow to better secure private information. Yet, breaches of New Yorkers’ private information were on an upward trajectory. Would a change in New York law have a positive impact on data security?

To find out, we turned to companies and consumer groups and, for six months, took our data and legal analysis on tour, so to speak. We asked these groups about their biggest concerns and obstacles in data security and also what they thought worked well in the existing regulatory landscape. The resulting conversations were forthright and candid, ranging from the principles to the practice of data security. We observed that generally, companies were incentivized to not have a breach. However, what incentivized companies – regulatory hammers, class actions, and bad press, to name a few – was not sufficiently laying the groundwork for meaningful data security. Bluntly put, strict deterrence alone was not positively affecting companies’ security of private information.

Could positive incentives and guideposts towards a better data security program be the answer? If so, how could New York craft legislation that reflected the real concerns of companies and consumers and yet be flexible enough to grow with the rapidly evolving data collection landscape and security concerns? In answer, and in collaboration with the private sector, NYAG crafted a simple set of affirmative incentives – a safe harbor for top-shelf data security and a rebuttable presumption for achieving commendable data security benchmarks – that would encourage and reward best practices for companies and ensure reasonable data security for consumers. And, we proposed a set of practical and reasonable data security guideposts companies could follow regardless of size or industry. The result was the NYAG’s Data Security Act, a practical prescription to the real concerns faced by business and consumer alike.

The public-private collaboration was critical to the end product. Taking the time to fully consider the applications of regulation to a company’s practice, appreciating how data is collected and utilized by companies, should be a hallmark of any data security legislation. A version of the Act had bipartisan support but fell short of passage this year. But we will continue to work with partners in industry to raise awareness of the issue next year, in hopes of passing the Data Security Act into law. Smart business and smart government alike can benefit from working together towards a better regulatory solution to data security.