ARTICLE
30 January 2015

New York Attorney General Announces Proposal To Revamp State Data Security Laws

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
On January 15, 2015, New York Attorney General Eric Schneiderman indicated that he plans to propose legislation to update New York’s information security laws, including by revising the definition of "private information" under the state’s data security breach notification statute.
United States Privacy

On January 15, 2015, New York Attorney General Eric Schneiderman indicated that he plans to propose legislation to update New York's information security laws, including by revising the definition of "private information" under the state's data security breach notification statute. Schneiderman's proposal comes on the heels of President Obama's January 13, 2015, unveiling of measures further to his 2011 Cybersecurity Legislative Proposal, including a plan to create a national data breach notification standard aimed at "simplifying and standardizing the existing patchwork of ... state laws ... into one federal statute."

Notably, Attorney General Schneiderman's proposed changes to New York's security breach notification law would expand the definition of "private information" to encompass:

  • email addresses (in combination with either the password or security question and answer);
  • medical information (including biometric information); and
  • health insurance information.

If such an amendment were to pass, New York would become one of only a handful of states that include email account information and/or medical information in their security breach notification law definitions of personal information. President Obama's proposed national breach notification standard also would provide protection for these types of information.

In addition to his proposed changes to the breach notification law, Schneiderman announced that he will push for legislation (1) requiring companies to implement data security safeguards to protect consumer information; (2) creating a "safe harbor" from liability for companies that meet certain information security standards; and (3) incentivizing data sharing with respect to breach-related forensic reports by ensuring that disclosing such reports to law enforcement authorities "does not affect any privilege or protection."

Schneiderman will need sponsors in the New York State legislature to introduce a bill that would advance his agenda, but reports indicate he's likely to find bipartisan support for the proposals. It remains to be seen whether President Obama's national data breach notification standard would supersede the myriad existing state laws requiring notification of security breach incidents affecting personal information, particularly with respect to state laws that arguably may be more stringent than the final version of the federal statute.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More