On January 15, 2015, New York’s attorney general, Eric Schneiderman, proposed a new law that NY hopes will balance business and consumer interests while establishing New York as a leader in data security. The main effect of the proposed legislation would be to expand the definition of private information to include (i) email addresses with passwords or security questions and answers, (ii) medical information, including biometric information, and (iii) health insurance information, and to require companies to notify consumers and employees should they suffer a cyberattack or data breach. At the same time, the legislation would reward companies that self-police and share information with law enforcement for the purpose of investigating breaches by granting them a safe-harbor from litigation.
The new legislation was based on a report published in July 2014 which found that 22.8 million personal records of New Yorkers were exposed between 2006 and 2013. In addition to the invasion of privacy suffered by consumers, New York businesses also lost more than $1.37 billion due to data breaches in 2013 alone. The report also found that attacks and their severity are on the rise. Half of the ten largest breaches occurred between 2011 and 2014, including the Target point-of-sale credit card breach, which affected between 70 million and 110 million million consumers nationwide, and Living Social’s security breach where 50 million consumers had private information exposed to hackers. The report found that between 2006 and 2013, almost half of the breaches (40.78%) in New York were due to hacking, while a smaller but still significant percentage of breaches were due to lost or stolen equipment/documentation (23.69%), and insider wrongdoing (10.37%).
While the report provided consumers and retailers with helpful tips to avoid such large breaches, New York has now taken the report’s advice and molded it into proposed legislation. While companies would be held to a higher standard in protecting consumer information, the bill rewards companies who take the initiative to protect their customers by giving them a safe harbor against litigation.
Under the new legislation, not only would the definition of private information be expanded, but entities that collect and/or store private information will be required to implement additional safeguards to protect private information and notify consumers in the event of a breach. First, entities will have to implement Administrative Safeguards that would train employees on procedures to protect consumer information, assess ongoing risks to consumers and the entity, and maintain the safeguards created. Second, entities will have to create various Technical Safeguards that will help them “(i) identify risks in their respective network, software and information processing, (ii) detect, prevent and respond to attacks and (iii) regularly test and monitor systems controls and procedures.” In addition, Physical Safeguards such as protection of areas with private information storage, specific destruction procedures for private information, and systems to detect invasions of privacy will also have to be created.
The legislation proposes that companies that have third parties audit their implementation of such safeguards and receive Certification annually that they are in compliance with New York laws should be entitled to a rebuttable presumption in litigation that they had reasonable data security protocols. Companies that go even further in data privacy protection would get an additional incentive: a safe-harbor from litigation. To attain the safe harbor, entities would have to categorize the threat of data breaches to their information systems and create an individualized data security plan that would have to be certified as a heightened level of security. Once an entity obtained such a certification, they generally would be safe from litigation altogether. Finally, in order to help law enforcement authorities identify the culprits of future data breaches, the legislation proposes providing protection to entities that share forensic data for the purpose of investigating such breaches. The new law would be clear though, that sharing such forensic data would not affect any privilege or protection of the data shared, in order to encourage entities to feel more comfortable sharing such sensitive information.
If New York passes this legislation – which has been applauded by businesses and consumers alike – it would be the first such law in New York, and would go beyond even the California law passed in 2013, which is currently the strictest in the nation, while at the same time creating innovative rewards for businesses that go beyond the minimum requirements.