New York’s Attorney General, Eric T. Schneiderman, plans to propose new data security legislation this year which, if enacted, could result in New York having one of the strongest data breach laws in the country. 

The proposed legislation would bolster New York’s existing Information Security Breach and Notification Act, found in Section 208 of the State Technology Law and Section 899-aa of the General Business Law.  Existing law requires companies to notify customers when “private information” is compromised but does not require companies to institute preventative data security measures.

The new legislation would expand upon New York’s definition of what constitutes protected “private information” to include email addresses and passwords, security questions, medical history, health insurance information, and other categories of data.  The current definition is limited to social security numbers, driver’s license numbers and identification card numbers, and account numbers and credit or debit card numbers with any required passcode.  The bill would also require companies to institute more comprehensive data security protections, including stronger physical and technical measures and tougher administrative safeguards focused on minimizing internal risks.  As a carrot to encourage companies to comply with the legislation, the proposed bill would provide a safe harbor to companies that meet data security standards and receive required certifications.  

More information on the Attorney General’s proposal is available on the New York Attorney General’s website.