Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
New York Attorney General Eric T. Schneiderman (D) Nov. 2 endorsed new bills that would create a unique data security certification plan to give companies safe harbor from New York enforcement actions.
Although some states have exemptions built into their breach notification laws, New York is the first to propose creating a data certification program and specific safe harbor scheme, according to Bloomberg Law data.
Identical companion bills ( A. 8756, S. 6933) would amend New York’s data breach notice statute to require companies maintain “reasonable security” to protect private information, create the safe harbor plan, and expand the definition of protected private information to include biometric, health, and credit card information.
The bills, which were introduced Nov. 1 in the Senate and Oct. 31 in the Assembly, were filed in response to the recent data breach at Equifax Inc. and the record number of data breach notifications received by the attorney general’s office in 2016, Schneiderman said in the statement. The office received 1,300 data breach reports in 2016—a 60-percent increase over the previous year, he said.
The bills would create a safe-harbor from data breach enforcement actions by the attorney general’s office for entities that go beyond the minimum data security requirements and comply with certain state, federal, and independent standards. The attorney general would be restricted under the proposed law to bringing data security enforcement actions against companies under the safe harbor only if their conduct involved willful or bad faith action, or gross negligence.
The safe-harbor provision is “innovative, unique, and friendly to business,” David Zetoony, who heads the global data privacy and security practice at Bryan Cave LLP in New York and Boulder, Colo., said in the statement issued by the attorney general’s office. The safe harbor would reward companies “that go the extra mile to audit and verify compliance with an industry data security practice, removing the costs and unpredictability of government litigation,” he said.
Most states with breach notice laws provide an exemption for companies that are covered by notification provisions in federal sectoral laws, such as the Gramm-Leach-Bliley Act for the financial sector, or the Health Insurance Portability and Accountability Act for the health-care industry, or specific state laws.
Many states already defined protected data as including health information. Adding biometric data to the list of information that requires special protection—and notification in the event of a breach—would make New York the eighth state to enact such a law.
Illinois, Iowa, Nebraska, New Mexico, and Wisconsin have breach notice laws in effect that cover biometric information, according to Bloomberg Law’s privacy and data security breach notification chart builder. Maryland’s law adding biometric data takes effect January 1, 2018, and Delaware’s law take effect April 4, 2018, the data show.
Adding payment card data to the list of protected information under the bills is consistent with what Schneiderman said motivated the legislation’s introduction.
The safe-harbor provisions create “compliant regulated” entities—defined as those that are already regulated and compliant with existing or future federal or state regulations, including the recently issued New York Department of Financial Services cybersecurity rules.
A company may also be deemed a “certified compliant entity” under the safe harbor provisions if it meets the data security standards of the federal Department of Commerce National Institute of Standards and Technology or the International Standards Organization.
The bill includes a provision to ease the regulatory burden on small businesses by applying standards that are “appropriate to the size and complexity of the small business.” All other companies are required to meet “reasonable safeguards” and provide clear examples such as technical, administrative, and physical measures.
With assistance from Daniel R. Stoller in Washington
To contact the reporter on this story: Gerald B. Silverman in Albany, N.Y. at GSilverman@bna.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)