New York Attorney General Eric Schneiderman plans to propose legislation that will overhaul that state’s data security laws with a focus on protecting the information of consumers.
The proposed legislation would broaden the scope of information that companies would be responsible for protecting with an increased focused on stronger technical and physical security measures.
The bill would also create a safe harbor for companies that meet certain security standards by creating incentives for them to adopt stricter rules for protecting customer data.
“With some of the largest-ever data breaches occurring in just the last year, it’s long past time we updated our data security laws and expanded protections for consumers,” Schneiderman said in a statement last week. “We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection. Our new law will be the strongest, most comprehensive in the nation. Let’s act now to make our state a national model for data privacy and security.”
The measure would be a major step forward as New York state currently does not have any rules in place for companies securing consumer data. The rules come in the wake of a handful of public data breaches at major corporations around the country, most notably at Target and Home Depot.
Schneiderman’s office released a report last July that said data security breaches in New York more than tripled between 2006 and 2013. Over that same time, the personal records of more than 22.8 million people in the state were exposed in more than 5,000 data breaches.
Schneiderman’s office believes those breaches cost the state $1.37 billion in 2013 alone.
In addition, the report found that hacking intrusions — in which third parties gain unauthorized access to data stored on a computer system — were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches.
“The Attorney General’s proposed bill would provide companies that commit to applying heightened data security standards a safe harbor against investigations by the Attorney General and potentially consumer liability,” said Alan Raul, partner and global coordinator of Sidley Austin LLP, in a statement. “This is a creative approach to incentivize companies to adopt stronger safeguards and more rigorous control processes like those of the NIST Cybersecurity Framework.”
Added Kathryn Wylde, president and CEO of the Partnership for New York City, “Employers and consumers are equal victims when there is a breach of cyber security. The Attorney General’s willingness to create a better process for preventing illegal cyber activities merits support from business and the public at large.”