NY AG Proposes Stricter Data Security Laws Citing Equifax Breach

Business officials, speaking on background, said they wondered how such a proposal would be enforced considering the proposal extends to entities operating outside the state. The bill would apply the notice requirement to anyone holding private information of New Yorkers, a change from the current requirement that they “conduct business” in the state.

Under the legislation, reporting requirement triggers would include username and password combinations, biometric data and health data covered by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Current New York state law requires that companies meet data security requirements only if the identifiable information contains a Social Security number, according to the Attorney General's Office.

“It's clear that New York's data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It's time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl,” Schneiderman said in the release.

Schneiderman's program bill, introduced by state Sen. David Carlucci and Assemblyman Brian Kavanagh, both Democrats who lead their respective chambers' consumer protection bureaus, would allow the Attorney General's Office to seek civil penalties and injunctions if companies don't provide adequate security for their data.

The civil penalty would be $5,000 for each violation or up to $20 per instance of failed notification, provided that the latter's aggregate amount doesn't exceed $250,000. The legislation would also require that companies who handle sensitive user data to provide consumers with broader information when a data breach is attempted or occurs, Schneiderman's office said.

The legislation provides flexibility for small businesses with fewer than 50 employees, who have gross revenue under $3 million for the last three fiscal years or less than $5 million in year-end total assets. According to the legislation, small businesses would be deemed compliant if they “implement and maintain reasonable safeguards that are appropriate to the size and complexity of the small business to protect the security, confidentiality and integrity of the private information.”

Also under the bill, companies that obtain independent certification that their data security measures meet the highest standard would receive safe harbor from state enforcement action.

David Zetoony, leader of Bryan Cave's global data privacy and security practice, praised the provision in the AG's news release, saying it is “providing a safe harbor for companies that go above-and-beyond to certify good data security is innovative, unique and friendly to business.”

The Business Council of New York State Inc., an association of more than 2,400 private sector employers, is still in discussion with Schneiderman's office over the legislation, a spokesman for the organization told our ALM sibling New York Law Journal.

“Businesses are not the bad actors in the scenario,” said spokesman Zack Hutchins. “They're interested in securing their customer data.”

The legislation comes roughly two months after the massive breach of the major consumer credit reporting agency Equifax. Schneiderman's office opened up an investigation into Equifax in September. The state's Department of Financial Services, which regulates the banking insurance and other financial institutions, is also investigating the Equifax breach.

Following the Equifax breach, New York Gov. Andrew Cuomo proposed new regulations that would subject consumer credit reporting agencies to the same groundbreaking cybersecurity rules that the state recently enacted for bank and insurance companies. Under the proposed rules, credit reporting agencies such as Equifax, TransUnion and Experian would have to register with the state Department of Financial Services beginning in February 2018 and every year thereafter. Credit reporting agencies, under Cuomo's proposal, would have to have state-approved cybersecurity plans.

A spokeswoman for the Consumer Data Industry Association, the trade group representing credit reporting agencies, said in an email that the organization is reviewing Schneiderman's proposal. In a hearing last week before a state Senate panel, Eric Ellman, the senior vice president of public policy and legal affairs at the Consumer Data Industry Association, based in Washington, DC, said further laws weren't necessary and lawmakers should be focusing on mitigating cybersecurity threats.

Separately, the NY AG's office recently announced a $700,000 settlement with Hilton Domestic Operating Co. Inc., formerly known as Hilton Worldwide Inc., after 350,000 credit card numbers were exposed in two separate breaches in 2015.

*****
Josefa Velasquez is a regulatory and Court of Appeals reporter in Albany, NY for the New York Law Journal, an ALM sibling of Cybersecurity Law & Strategy. Contact Josefa at [email protected], and on Twitter: @j__velasquez.