NY attorney general proposes tougher data security law
(AP) -- New York's data security law is weak and should be overhauled to require businesses to protect the personal information of consumers and employees, the state's top law enforcement official said Wednesday.
New York Attorney General Eric Schneiderman said that in the event of a data breach or unauthorized disclosure, companies and employers are merely required to notify affected individuals if "private information" is compromised. That includes Social Security, driver's license and account or credit card numbers, but not email addresses and passwords, security questions, medical history and health insurance information.
Schneiderman proposed making employers and retailers responsible for protecting all that personal information, while giving them protection from liability if they meet certain security standards.
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers," Schneiderman said. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to protect customers should be rewarded."
According to a July report from the attorney general's office, security breaches reported by businesses, nonprofits and governments in New York more than tripled between 2006 and 2013, exposing 22.8 million personal records of New Yorkers in nearly 5,000 incidents.
Deliberate hacking was responsible for 40 percent of the incidents, which exposed a majority of the records, followed by lost or stolen equipment, insider wrongdoing, and inadvertent errors, according to the report. The 7.3 million records exposed in 900 security breaches last year cost the public and private sectors an estimated $1.37 billion to investigate, rectify and help customers.
The proposed legislation would require entities that collect or store private information to have "reasonable" security measures, including administrative, technical and physical safeguards to assess risks from employees, computer networks and software. They would also have to have the means to detect, prevent and respond to attacks and protect the physical areas where information is stored. They would need independent third-party compliance audits and certifications annually.