The New York Attorney General has announced a proposal that would provide businesses with a “safe harbor” from liability if they implement certain data security standards. This could be welcome news given the current litigation landscape. Under the proposal, companies would be eligible for the safe harbor if they categorize information systems based on risk, implement a data security plan, and attain certification. Currently, the lack of clarity about legal obligations and effective security measures has resulted in significant uncertainty. The safe harbor would set some baseline standards and allow businesses to take proactive steps to reduce the threat of liability.
The FTC has initiated dozens of legal actions against companies for failing to adequately protect consumers’ information under Section 5(a) of the Federal Trade Commission Act, which prohibits unfair or deceptive practices. The FTC has successfully exerted its authority over data security without issuing specific regulations or standards, thereby permitting the agency to use its discretion in deciding what are “reasonable” data security standards. This, in turn, has created some ambiguity in the data security landscape. State unfair trade practices acts can also be used to bring class action suits against companies subject to data breach based on this tenuous “reasonable” standard. Thus, companies face not only the potential heavy-hand of federal regulators, but also the threat of class actions and private litigation.
New York’s legislation could help mitigate these threats by reducing some of the ambiguity in this area. This would provide guidance in an area where it is desperately needed and be used as a benchmark in defense or as a model for other jurisdictions. At the least, this proposal is promising and heading in the right direction.