N.Y. AG Seeks To Have the ‘Strongest, Most Comprehensive’ Data Security Law in Nation

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://abovethelaw.com/2015/01/n-y-ag-seeks-to-have-the-strongest-most-comprehensive-data-security-law-in-nation/

Last week, New York Attorney General Eric Schneiderman announced that he
would propose a new data security law in his state that would require
companies to take increased safeguards for the protection of personal
information. The bill, if passed, would broaden the scope of information
that companies would be responsible for protecting, and would require
stronger technical and physical security measures for protecting
information. Specifically, the bill would apply to all entities doing
business in New York that collect and store private information, and would
require such entities to have reasonable security measures in place,
including:

– Administrative safeguards to assess risks, train employees and maintain
safeguards

– Technical safeguards to (i) identify risks in their respective network,
software, and information processing, (ii) detect, prevent and respond to
attacks, and (iii) regularly test and monitor systems controls and
procedures

– Physical safeguards to have special disposal procedures, detection and
response to intrusions, and protect the physical areas where information is
stored

Under the law, entities that obtain annual, independent third-party audits
and certifications showing compliance with the state’s data security
requirements would receive for use in litigation a rebuttable presumption
of having reasonable data security measures in place. To incentivize
companies to adopt tougher data security measures, the new bill will also
include a safe harbor provision for those companies who certify that they
have implemented heightened data security standards. In order to qualify
for the safe harbor, entities would be required to categorize their data
systems based on the risk a data breach imposes on the data stored. An
appropriate data security plan considering such risks and other factors
would then need to be implemented and followed. If this standard is met,
the entity would need to obtain a certification, though it is not clear yet
from whom the certification would need to be obtained. Upon obtaining the
certification, the entity would be granted the benefit of a safe harbor
that may eliminate its liability entirely under the law. In addition, the
proposed law would amend the state’s existing data breach notification law
to include in the definition of “private information” the combination of an
email address and password, the combination of an email address with a
security question and answer, medical data, and health insurance
information (entities are currently not required under the law to notify
consumers of a breach of any of these types of information).

The attorney general shared his ambitious goal for the bill, saying that he
envisions that the “new law will be the strongest, most comprehensive in
the nation.” Citing the high number of data breaches last year, he said
that he wanted New York’s law to serve as “a national model for data
privacy and security.” While a copy of the proposed legislation is not yet
publicly available, we envision that it will bear some similarities to
Massachusetts’ Data Protection Regulations in that both set forth specific
minimum standards that companies are required to take in connection with
the safeguarding of personal information. We have previously covered some
of the requirements under the Massachusetts Regulations here. With
President Obama also pushing his own privacy and cybersecurity agenda, 2015
could potentially result in a drastic change in the privacy law landscape.
We will be following these legislative developments closely.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!