Schneiderman Pushes N.Y. Corporate Data Security Mandate Bills

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Gerald B. Silverman

New York Attorney General Eric T. Schneiderman (D) Nov. 2 endorsed new bills that would create a unique data security certification plan to give companies safe harbor from New York enforcement actions.

Although some states have exemptions built into their breach notification laws, New York is the first to propose creating a data certification program and specific safe harbor scheme, according to Bloomberg Law data.

Identical companion bills ( A. 8756, S. 6933) would amend New York’s data breach notice statute to require companies maintain “reasonable security” to protect private information, create the safe harbor plan, and expand the definition of protected private information to include biometric, health, and credit card information.

The bills, which were introduced Nov. 1 in the Senate and Oct. 31 in the Assembly, were filed in response to the recent data breach at Equifax Inc. and the record number of data breach notifications received by the attorney general’s office in 2016, Schneiderman said in the statement. The office received 1,300 data breach reports in 2016—a 60-percent increase over the previous year, he said.

The bills would create a safe-harbor from data breach enforcement actions by the attorney general’s office for entities that go beyond the minimum data security requirements and comply with certain state, federal, and independent standards. The attorney general would be restricted under the proposed law to bringing data security enforcement actions against companies under the safe harbor only if their conduct involved willful or bad faith action, or gross negligence.

The safe-harbor provision is “innovative, unique, and friendly to business,” David Zetoony, who heads the global data privacy and security practice at Bryan Cave LLP in New York and Boulder, Colo., said in the statement issued by the attorney general’s office. The safe harbor would reward companies “that go the extra mile to audit and verify compliance with an industry data security practice, removing the costs and unpredictability of government litigation,” he said.

Most states with breach notice laws provide an exemption for companies that are covered by notification provisions in federal sectoral laws, such as the Gramm-Leach-Bliley Act for the financial sector, or the Health Insurance Portability and Accountability Act for the health-care industry, or specific state laws.

Biometric, Payment Card Data

Many states already defined protected data as including health information. Adding biometric data to the list of information that requires special protection—and notification in the event of a breach—would make New York the eighth state to enact such a law.

Illinois, Iowa, Nebraska, New Mexico, and Wisconsin have breach notice laws in effect that cover biometric information, according to Bloomberg Law’s privacy and data security breach notification chart builder. Maryland’s law adding biometric data takes effect January 1, 2018, and Delaware’s law take effect April 4, 2018, the data show.

Adding payment card data to the list of protected information under the bills is consistent with what Schneiderman said motivated the legislation’s introduction.

Safe-Harbor Program

The safe-harbor provisions create “compliant regulated” entities—defined as those that are already regulated and compliant with existing or future federal or state regulations, including the recently issued New York Department of Financial Services cybersecurity rules.

A company may also be deemed a “certified compliant entity” under the safe harbor provisions if it meets the data security standards of the federal Department of Commerce National Institute of Standards and Technology or the International Standards Organization.

The bill includes a provision to ease the regulatory burden on small businesses by applying standards that are “appropriate to the size and complexity of the small business.” All other companies are required to meet “reasonable safeguards” and provide clear examples such as technical, administrative, and physical measures.

With assistance from Daniel R. Stoller in Washington

To contact the reporter on this story: Gerald B. Silverman in Albany, N.Y. at

To contact the editor responsible for this story: Donald Aplin at

For More Information

A. 8756 is available at

S. 6933 is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security