New York Attorney General Eric Schneiderman announced plans to propose legislation bolstering the state's data security law, increasing safeguards to protect consumers' personal data.
Currently, companies are only required to notify affected individuals of a data breach if "private information" is compromised, which does not include medical history, health insurance information and email addresses, among other data points. Additionally, the state does not have a law directly requiring entities to implement data security measures to protect consumer information.
Attorney General Schneiderman's law seeks to expand the definition of private information to include email addresses, passwords, medical information, biometric information and health insurance information. It would require entities that collect or store private information to have "reasonable security measures" to protect that information. Additionally, the law would provide a safe harbor for businesses that adopt heightened levels of data security as well as incentivize companies to share forensic reports with law enforcement following a breach by protecting privilege.
"With some of the largest-ever data breaches occurring in just the last year, it's long past time we updated our data security laws and expanded protections for consumers," said Attorney General Schneiderman. "We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection."
More articles on data security:
3 tips to ensure IT infrastructure security
CHIME chairman: We need 'blended' information security approach
10 patient data protection strategies