NY AG Proposes Stricter Data Security Laws Citing Equifax Breach
Attorney General Eric Schneiderman is proposing comprehensive legislation to tighten state data security laws and expand data protections for New York residents in the aftermath of the Equifax breach that compromised 8 million New Yorkers among 145.5 million Americans.
November 02, 2017 at 04:13 PM
5 minute read
New York State Attorney General Eric Schneiderman. Photo credit: Rick Kopstein
Following on the Equifax Inc. breach that compromised personal information of 145.5 million Americans including more than 8 million New Yorkers, Attorney General Eric Schneiderman is proposing comprehensive legislation to tighten data security laws and expand protections.
The Stop Hacks and Improve Electronic Data Security Act, introduced this week in the Legislature, would require companies that handle New Yorkers' sensitive data to adopt “reasonable administrative, technical and physical protections for data” regardless of where the company is headquartered, Schneiderman's office said in a news release Thursday. It would cover credit reporting agencies such as Equifax as well as many other types of companies that collect personally identifiable information on individuals.
The Attorney General's Office said it received a record 1,300 data breach notifications in 2016, a 60 percent increase over the previous year.
Business officials, speaking on background, said they wondered how such a proposal would be enforced considering the proposal extends to entities operating outside the state. The bill would apply the notice requirement to anyone holding private information of New Yorkers, a change from the current requirement that they “conduct business” in the state.
Under the legislation, reporting requirement triggers would include username and password combinations, biometric data and health data covered by the federal Health Insurance Portability and Accountability Act of 1996. Current New York state law requires that companies meet data security requirements only if the identifiable information contains a Social Security number, according to the Attorney General's Office.
“It's clear that New York's data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It's time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl,” Schneiderman said in the release.
Schneiderman's program bill, introduced by state Sen. David Carlucci and Assemblyman Brian Kavanagh, both Democrats who lead their respective chambers' consumer protection bureaus, would allow the Attorney General's Office to seek civil penalties and injunctions if companies don't provide adequate security for their data.
The civil penalty would be $5,000 for each violation or up to $20 per instance of failed notification, provided that the latter's aggregate amount doesn't exceed $250,000. The legislation would also require that companies who handle sensitive user data to provide consumers with broader information when a data breach is attempted or occurs, Schneiderman's office said.
The legislation provides flexibility for small businesses with fewer than 50 employees, who have gross revenue under $3 million for the last three fiscal years or less than $5 million in year-end total assets. According to the legislation, small businesses would be deemed compliant if they “implement and maintain reasonable safeguards that are appropriate to the size and complexity of the small business to protect the security, confidentiality and integrity of the private information.”
Also under the bill, companies that obtain independent certification that their data security measures meet the highest standard would receive safe harbor from state enforcement action.
David Zetoony, leader of Bryan Cave's global data privacy and security practice, praised the provision in the AG's news release, saying it is “providing a safe harbor for companies that go above-and-beyond to certify good data security is innovative, unique and friendly to business”.
The Business Council of New York State Inc., an association of more than 2,400 private sector employers, is still in discussion with Schneiderman's office over the legislation, a spokesman for the organization told the New York Law Journal.
“Businesses are not the bad actors in the scenario,” said spokesman Zack Hutchins. “They're interested in securing their customer data.”
The legislation comes roughly two months after the massive breach of the major consumer credit reporting agency Equifax. Schneiderman's office opened up an investigation into Equifax in September. The state's Department of Financial Services, which regulates the banking insurance and other financial institutions, is also investigating the Equifax breach.
Following the Equifax breach, New York Gov. Andrew Cuomo proposed new regulations that would subject consumer credit reporting agencies to the same groundbreaking cybersecurity rules that the state recently enacted for bank and insurance companies. Under the proposed rules, credit reporting agencies such as Equifax, TransUnion and Experian would have to register with the state Department of Financial Services beginning in February and every year thereafter. Credit reporting agencies, under Cuomo's proposal, would have to have state-approved cybersecurity plans.
A spokeswoman for the Consumer Data Industry Association, the trade group representing credit reporting agencies, said in an email that the organization is reviewing Schneiderman's proposal. In a hearing last week before a state Senate panel, Eric Ellman, the senior vice president of public policy and legal affairs at the Consumer Data Industry Association, based in Washington, D.C., said further laws weren't necessary and lawmakers should be focusing on mitigating cybersecurity threats.
Separately, on Wednesday, the AG's office announced a $700,000 settlement with Hilton Domestic Operating Co. Inc., formerly known as Hilton Worldwide Inc., after 350,000 credit card numbers were exposed in two separate breaches in 2015.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllGC Pleads Guilty to Embezzling $7.4 Million From 3 Banks
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250