New York AG Seeks 'Strongest' Data Breach Law, Drawing Comparison to National Legislation
New York Attorney General Eric Schneiderman said he's asking the state legislature to pass a bill backed by his office that would significantly strengthen New York’s data breach notification law, vowing it would be “the strongest, most comprehensive in the nation” and would make New York a “national model for data privacy and security.” Schneiderman’s push for a strengthened New York data breach law followed days after the White House proposed a national data breach bill to replace the “patchwork” of existing state laws (see 1501120043) and Senate Commerce Committee ranking member Bill Nelson, D-Fla., introduced the Data Security and Breach Notification Act (S-177) (see 1501140046). That bill’s text remained unavailable Friday, but Nelson has said he intended the bill to mirror the White House proposal.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Schneiderman’s proposal would expand the types of private information that a company would need to inform affected customers about if a data breach compromised that information. New York’s current law requires notification only when Social Security numbers, driver’s license information or credit card information are compromised. Schneiderman’s proposal would require notification when there’s a data breach involving a combination of an email address and password or an email address and the answer to a security question. Other new covered private information would include medical information, biometric data and health insurance information, Schneiderman’s office said. The bill also would create a “reasonable data security” requirement for companies that collect private information that includes physical and technical safeguards, as well as create a safe harbor that would provide liability protections for companies that heighten their cybersecurity.
Schneiderman’s proposal is “more detailed” and “focused” on cybersecurity than related legislation on Capitol Hill and proposals from the Obama administration, said David Kennedy, president of TrustedSec, an online security consulting firm. Schneiderman is attempting to “incorporate data security requirements for corporations in a manageable way,” he said. Schneiderman is trying to “tackle” cybersecurity from a “risk perspective” and then hold corporations to “basic safeguards,” Kennedy said. Schneiderman’s proposed legislation is “pretty good” in its attempt to “expand consumer protections,” said Justin Brookman, Center for Democracy & Technology’s Consumer Privacy Project director. New York is trying to clamp down on “bad consumer practices” related to cybersecurity, he said.
Schneiderman didn’t appear to intend his Thursday announcement as a response to the White House’s proposal, as the rise in data breaches in the state has been a focus for his office in recent months, a New York-based industry lawyer told us. Schneiderman’s office issued a report in July that found almost 5,000 reported data breaches had occurred in the state between 2006 and 2013, with the annual number of data breaches tripling by the end of that period. New York’s current data breach law went into effect in December 2005. Schneiderman’s office didn’t comment on whether he had discussed his proposal with the White House or Congress.
The White House “kept their plan so close to the vest that I don’t think [Schneiderman’s announcement] was a deliberate move against them,” but it still highlights longstanding concerns about the potential for pre-emption of existing state laws, said Arent Fox Senior Government Relations Director Alex Manning, former staff director for the House Homeland Security Committee’s Cybersecurity Subcommittee. “You’re going to see a lot of pushback from the states,” he said. Forty-seven states, Washington, D.C., Guam, Puerto Rico and the U.S. Virgin Islands currently have some form of data breach notification law, all of which vary in their breadth and strength, said the National Conference of State Legislatures.
Pre-emption was controversial last year when then-Rep. Lee Terry, R-Neb., urged its inclusion in a national data breach notification law, and “many of my colleagues didn't like” it, said Terry, now a Kelly Drye senior adviser-government relations, in an email. “I was adamant about the pre-emption of state laws so we have one uniform/standard breach notification law” but it’s “going to the most difficult issue” Congress will deal with in considering a new law, Terry said.
Any national notification law that passes Congress is likely to be a compromise that will raise the standards in states with the weakest laws but won’t be as stringent as the strongest laws, which include California’s current law and Schneiderman’s proposed law for New York, Manning said. States are continuing to “innovate” on cybersecurity, Bookman said. But that’s because federal laws haven’t “supplanted” state laws, he said. Obama’s cybersecurity proposals are superior to many of those introduced on Capitol Hill, but its pre-emption provisions are “counterproductive,” Bookman said. Such provisions will halt states’ attempts to adapt their cybersecurity laws, he said.
Industry usually sides with implementing a national law because it can be onerous to follow movement among existing state and territorial laws, while privacy advocates are likely to continue to side with the states, Manning said. State governments “are going to have to go to battle against the [Obama] administration, industry and Congress,” he said. “They’re feeling a lot of pressure to harmonize these laws.” “Everyone agrees that some amount of harmonization is necessary, but I’m pretty sure the privacy community is going to put their foot down and say they believe the states will produce stronger requirements,” he said.
Kennedy favored Schneiderman’s proposal over the White House proposal and related legislation on Capitol Hill, both of which he said are too focused on information sharing. Such sharing won’t prevent the next Sony Pictures Entertainment hack, and also raises privacy concerns, particularly when companies are protected from any liability when sharing personal data with government agencies, he said. Companies should be held accountable for their personal data, said Kennedy. Obama’s cybersecurity proposals aren’t about cybersecurity at all; they’re really “intelligence gathering” proposals, he said. Schneiderman’s bill allows for information sharing but only in the case of “forensic” and breached data, said Kennedy. That’s different than sharing “blanketed” data, he said. CDT blogged Friday about potential privacy issues stemming from Obama’s cybersecurity proposals.