Following on the Equifax Inc. breach that compromised personal information of 145.5 million Americans including more than 8 million New Yorkers, Attorney General Eric Schneiderman is proposing comprehensive legislation to tighten data security laws and expand protections.
The Stop Hacks and Improve Electronic Data Security Act, introduced this week in the Legislature, would require companies that handle New Yorkers’ sensitive data to adopt “reasonable administrative, technical and physical protections for data” regardless of where the company is headquartered, Schneiderman’s office said in a news release Thursday. It would cover credit reporting agencies such as Equifax as well as many other types of companies that collect personally identifiable information on individuals.
The Attorney General’s Office said it received a record 1,300 data breach notifications in 2016, a 60 percent increase over the previous year.
Business officials, speaking on background, said they wondered how such a proposal would be enforced considering the proposal extends to entities operating outside the state. The bill would apply the notice requirement to anyone holding private information of New Yorkers, a change from the current requirement that they “conduct business” in the state.
Under the legislation, reporting requirement triggers would include username and password combinations, biometric data and health data covered by the federal Health Insurance Portability and Accountability Act of 1996. Current New York state law requires that companies meet data security requirements only if the identifiable information contains a Social Security number, according to the Attorney General’s Office.
“It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl,” Schneiderman said in the release.
Schneiderman’s program bill, introduced by state Sen. David Carlucci and Assemblyman Brian Kavanagh, both Democrats who lead their respective chambers’ consumer protection bureaus, would allow the Attorney General’s Office to seek civil penalties and injunctions if companies don’t provide adequate security for their data.
The civil penalty would be $5,000 for each violation or up to $20 per instance of failed notification, provided that the latter’s aggregate amount doesn’t exceed $250,000. The legislation would also require that companies who handle sensitive user data to provide consumers with broader information when a data breach is attempted or occurs, Schneiderman’s office said.
The legislation provides flexibility for small businesses with fewer than 50 employees, who have gross revenue under $3 million for the last three fiscal years or less than $5 million in year-end total assets. According to the legislation, small businesses would be deemed compliant if they “implement and maintain reasonable safeguards that are appropriate to the size and complexity of the small business to protect the security, confidentiality and integrity of the private information.”
Also under the bill, companies that obtain independent certification that their data security measures meet the highest standard would receive safe harbor from state enforcement action.
David Zetoony, leader of Bryan Cave’s global data privacy and security practice, praised the provision in the AG’s news release, saying it is “providing a safe harbor for companies that go above-and-beyond to certify good data security is innovative, unique and friendly to business”.
The Business Council of New York State Inc., an association of more than 2,400 private sector employers, is still in discussion with Schneiderman’s office over the legislation, a spokesman for the organization told the New York Law Journal.
“Businesses are not the bad actors in the scenario,” said spokesman Zack Hutchins. “They’re interested in securing their customer data.”
The legislation comes roughly two months after the massive breach of the major consumer credit reporting agency Equifax. Schneiderman’s office opened up an investigation into Equifax in September. The state’s Department of Financial Services, which regulates the banking insurance and other financial institutions, is also investigating the Equifax breach.
Following the Equifax breach, New York Gov. Andrew Cuomo proposed new regulations that would subject consumer credit reporting agencies to the same groundbreaking cybersecurity rules that the state recently enacted for bank and insurance companies. Under the proposed rules, credit reporting agencies such as Equifax, TransUnion and Experian would have to register with the state Department of Financial Services beginning in February and every year thereafter. Credit reporting agencies, under Cuomo’s proposal, would have to have state-approved cybersecurity plans.
A spokeswoman for the Consumer Data Industry Association, the trade group representing credit reporting agencies, said in an email that the organization is reviewing Schneiderman’s proposal. In a hearing last week before a state Senate panel, Eric Ellman, the senior vice president of public policy and legal affairs at the Consumer Data Industry Association, based in Washington, D.C., said further laws weren’t necessary and lawmakers should be focusing on mitigating cybersecurity threats.
Separately, on Wednesday, the AG’s office announced a $700,000 settlement with Hilton Domestic Operating Co. Inc., formerly known as Hilton Worldwide Inc., after 350,000 credit card numbers were exposed in two separate breaches in 2015.