One Attorney General's Plan to Fight Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.inc.com/associated-press/attorney-general-schneiderman-proposes-tougher-data-security-law.html

New York's data security law is weak and should be overhauled to require
businesses to protect the personal information of consumers and employees,
the state's top law enforcement official said Wednesday.

New York Attorney General Eric Schneiderman said that in the event of a
data breach or unauthorized disclosure, companies and employers are merely
required to notify affected individuals if "private information" is
compromised. That includes Social Security, driver's license and account or
credit card numbers, but not email addresses and passwords, security
questions, medical history and health insurance information.

Schneiderman proposed making employers and retailers responsible for
protecting all that personal information, while giving them protection from
liability if they meet certain security standards.

"With some of the largest-ever data breaches occurring in just the last
year, it's long past time we updated our data security laws and expanded
protections for consumers," Schneiderman said. "We must also remind
ourselves that companies can be victims, and that those who take
responsible steps to protect customers should be rewarded."

According to a July report from the attorney general's office, security
breaches reported by businesses, nonprofits and governments in New York
more than tripled between 2006 and 2013, exposing 22.8 million personal
records of New Yorkers in nearly 5,000 incidents.

Deliberate hacking was responsible for 40 percent of the incidents, which
exposed a majority of the records, followed by lost or stolen equipment,
insider wrongdoing, and inadvertent errors, according to the report. The
7.3 million records exposed in 900 security breaches last year cost the
public and private sectors an estimated $1.37 billion to investigate,
rectify and help customers.

The proposed legislation would require entities that collect or store
private information to have "reasonable" security measures, including
administrative, technical and physical safeguards to assess risks from
employees, computer networks and software. They would also have to have the
means to detect, prevent and respond to attacks and protect the physical
areas where information is stored. They would need independent third-party
compliance audits and certifications annually.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!