Last week, New York Attorney General Eric Schneiderman announced that he would propose a new data security law in his state that would require companies to take increased safeguards for the protection of personal information. The bill, if passed, would broaden the scope of information that companies would be responsible for protecting, and would require stronger technical and physical security measures for protecting information. Specifically, the bill would apply to all entities doing business in New York that collect and store private information, and would require such entities to have reasonable security measures in place, including:
- Administrative safeguards to assess risks, train employees and maintain safeguards
- Technical safeguards to (i) identify risks in their respective network, software, and information processing, (ii) detect, prevent and respond to attacks, and (iii) regularly test and monitor systems controls and procedures
- Physical safeguards to have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored
Under the law, entities that obtain annual, independent third-party audits and certifications showing compliance with the state’s data security requirements would receive for use in litigation a rebuttable presumption of having reasonable data security measures in place. To incentivize companies to adopt tougher data security measures, the new bill will also include a safe harbor provision for those companies who certify that they have implemented heightened data security standards. In order to qualify for the safe harbor, entities would be required to categorize their data systems based on the risk a data breach imposes on the data stored. An appropriate data security plan considering such risks and other factors would then need to be implemented and followed. If this standard is met, the entity would need to obtain a certification, though it is not clear yet from whom the certification would need to be obtained. Upon obtaining the certification, the entity would be granted the benefit of a safe harbor that may eliminate its liability entirely under the law. In addition, the proposed law would amend the state’s existing data breach notification law to include in the definition of "private information" the combination of an email address and password, the combination of an email address with a security question and answer, medical data, and health insurance information (entities are currently not required under the law to notify consumers of a breach of any of these types of information).
The attorney general shared his ambitious goal for the bill, saying that he envisions that the "new law will be the strongest, most comprehensive in the nation." Citing the high number of data breaches last year, he said that he wanted New York's law to serve as "a national model for data privacy and security." While a copy of the proposed legislation is not yet publicly available, we envision that it will bear some similarities to Massachusetts' Data Protection Regulations in that both set forth specific minimum standards that companies are required to take in connection with the safeguarding of personal information. We have previously covered some of the requirements under the Massachusetts Regulations here. With President Obama also pushing his own privacy and cybersecurity agenda, 2015 could potentially result in a drastic change in the privacy law landscape. We will be following these legislative developments closely.