On April 8, 2015, a New York Assemblyman introduced the Data Security Act in the New York State Assembly that would require New York businesses to implement and maintain information security safeguards. The requirements would apply to “private information,” which is defined as either:

  • personal information consisting of any information in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number or non-driver identification card number; financial account or credit or debit card number in combination with any required security code or password; or biometric information;
  • a user name or email address in combination with a password or security question and answer that would permit access to an online account; or
  • unsecured protected health information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule).

The Data Security Act obligates entities to develop an information security program that includes:

  • administrative safeguards, such as conducting risk assessments, training employees and selecting service providers capable of maintaining appropriate safeguards;
  • technical safeguards, such as assessing risks in network and software design and regularly testing and monitoring the effectiveness of key controls; and
  • physical safeguards, such as disposing of electronic media so that the information cannot be read or reconstructed.

The Data Security Act deems certain specific entities in compliance with the law’s requirements, such as financial institutions that comply with the Gramm-Leach-Bliley Act, HIPAA-regulated entities, and entities that comply with NIST Standards. Entities that comply with the latest version of NIST Special Publication 800-53 are also immune from any civil liability under the Act.

The Data Security Act establishes a rebuttable presumption that an entity that obtains an independent third-party certification complies with the requirements of the law. The New York Attorney General is empowered to enjoin any violations of the Data Security Act, and can obtain civil penalties of $250 for each person whose private information was compromised, up to a maximum of $10 million. For knowing and reckless violations, these amounts can increase to $1,000 for each affected person up to a total of the higher of $50 million or three times the aggregate amount of any actual costs and losses.

The Data Security Act also amends New York’s breach notification law by using the expanded definition of “private information” discussed above. Previously, New York’s law did not cover breaches involving biometric information, user names and passwords, or protected health information.