NY attorney general proposes tougher data security law

(AP) -- New York's data security law is weak and should be overhauled to require businesses to protect the personal information of consumers and employees, the state's top law enforcement official said Wednesday.



New York Attorney General Eric Schneiderman said that in the event of a data breach or unauthorized disclosure, companies and employers are merely required to notify affected individuals if "private information" is compromised. That includes Social Security, driver's license and account or credit card numbers, but not email addresses and passwords, security questions, medical history and health insurance information.



Schneiderman proposed making employers and retailers responsible for protecting all that personal information, while giving them protection from liability if they meet certain security standards.



"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers," Schneiderman said. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to protect customers should be rewarded."



According to a July report from the attorney general's office, security breaches reported by businesses, nonprofits and governments in New York more than tripled between 2006 and 2013, exposing 22.8 million personal records of New Yorkers in nearly 5,000 incidents.



Deliberate hacking was responsible for 40 percent of the incidents, which exposed a majority of the records, followed by lost or stolen equipment, insider wrongdoing, and inadvertent errors, according to the report. The 7.3 million records exposed in 900 security breaches last year cost the public and private sectors an estimated $1.37 billion to investigate, rectify and help customers.



The proposed legislation would require entities that collect or store private information to have "reasonable" security measures, including administrative, technical and physical safeguards to assess risks from employees, computer networks and software. They would also have to have the means to detect, prevent and respond to attacks and protect the physical areas where information is stored. They would need independent third-party compliance audits and certifications annually.


sorry to interrupt
your first 20 are free
Access to News 12 is free for Optimum, Comcast®, Time Warner® and Service ElectricSM customers.
Please enjoy 20 complimentary views of articles, photos, and videos during the next 30 days.
you have reached your 20 view limit
Access to News 12 is free for Optimum, Comcast®, Time Warner® and Service ElectricSM customers.
Please login or create an account to continue enjoying News12.
Our sign-up page is undergoing maintenance and is not currently available. However, you will be given direct access to news12.com while we complete our upgrade.
When we are back up and running you will be prompted at that time to complete your sign in. Until then, enjoy the local news, weather, traffic and more that's "as local as local news gets."