Schneiderman Proposes Tougher Data Security Law
ALBANY, N.Y. (CBSNewYork/AP) -- New York's data security law is weak and should be overhauled to require businesses to protect the personal information of consumers and employees, the state's top law enforcement official said Thursday.
Attorney General Eric Schneiderman said that in the event of a data breach or unauthorized disclosure, companies and employers are merely required to notify affected individuals if "private information'' is compromised. That includes Social Security, driver's license and account or credit card numbers, but not email addresses and passwords, security questions, medical history and health insurance information.
Schneiderman proposed making employers and retailers responsible for protecting all that personal information, while giving them protection from liability if they meet certain security standards.
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers,'' Schneiderman said in a statement. "We must also remind ourselves that companies can be victims and that those who take responsible steps to protect customers should be rewarded.''
He said the new law would be "the strongest, most comprehensive in the nation."
"There is proposed action at the federal level but until the federal government acts, the protections have to be provided on a state by state basis," Schneiderman told 1010 WINS. "California, Oregon and a few other states have got updated laws that provide more protection. Our goal is to have New York be at the forefront of this."
According to a July report from the attorney general's office, security breaches reported by businesses, nonprofits and governments in New York more than tripled between 2006 and 2013, exposing 22.8 million personal records of New Yorkers in nearly 5,000 incidents.
Deliberate hacking was responsible for 40 percent of the incidents, which exposed a majority of the records, followed by lost or stolen equipment, insider wrongdoing, and inadvertent errors, according to the report. The 7.3 million records exposed in 900 security breaches last year cost the public and private sectors an estimated $1.37 billion to investigate, rectify and help customers.
The proposed legislation would require entities that collect or store private information to have "reasonable'' security measures, including administrative, technical and physical safeguards to assess risks from employees, computer networks and software.
They would also have to have the means to detect, prevent and respond to attacks and protect the physical areas where information is stored. They would need independent third-party compliance audits and certifications annually.
For more information or for ways you can protect yourself against data breaches, click here.
Check Out These Other Stories From CBSNewYork.com:
(TM and © Copyright 2015 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2015 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)
