The state doesn't currently have a law requiring companies to protect consumer information, and companies are only required to notify affected consumers of a compromise of "private information," a term that doesn't cover email addresses, passwords, security questions, medical histories or health insurance information.
The bill would expand the definition of private information to include the combination of an email address and password, the combination of an email address with a security question and answer, medical information (including biometric information), and health insurance information.
HyTrust vice president Michele Borovac told eSecurity Planet by email that expanding the definition of private information is a necessary and useful move. "Login credentials are the key to most online activity, and are often shared across private and work applications," she said. "So if an attacker gets one set of credentials, they may be able to use them much more broadly."
The bill would also require all entities that collect and/or store private information to have administrative safeguards in place to assess risks, train employees, and maintain those safeguards; to have technical safeguards in place to identify risks, prevent and respond to attacks, and monitor controls and procedures; and to have physical safeguards in place to detect intrusions, protect physical areas where data is stored, and to have special disposal procedures.
It would also enable companies to obtain certifications demonstrating compliance with data security requirements, based on independent third-party audits, which would offer them safe harbor from liability for any breaches. To comply, companies would be required to categorize their information systems based on the potential impact of a data breach, and to implement and follow a detailed data security plan.
Finally, the bill would incentivize companies to share forensic reports with law enforcement in the event of a breach, possibly by ensuring that that the disclosure of a forensic report to law enforcement wouldn't affect any privileges or protections.
RedSeal CTO Dr. Mike Lloyd said by email that it's good Schneiderman recognizes these types of policies can't be all stick and no carrot. "This is important, because the interests of individual business decision makers are not always well-aligned with the interests of customers -- disclosure can be painful and disruptive, and corporations have several strong motives to keep bad news about a breach hidden," he said.
"There are lots of existing laws -- 46 different states have rules demanding disclosure -- but they are heavily negative," Lloyd added. "It’s a timely initiative to give corporations a positive reason to come clean about what is happening."
According to a report released by Schneiderman's office in July 2014, the number of reported data security breaches in New York more than tripled between 2006 and 2013, with 7.3 million New Yorkers' records exposed in more than 900 data breaches in 2013 alone.
"With some of the largest-ever data breaches occurring in just the last year, it’s long past time we updated our data security laws and expanded protections for consumers," Schneiderman said in a statement. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection."
"Our new law will be the strongest, most comprehensive in the nation," Schneiderman added.
Photo courtesy of Shutterstock.