Raising Our Guard vs. Mega-Breaches
September 18, 2017
By Attorney General Eric Schneiderman, as published by The Daily News, on September 15, 2017.
The massive Equifax data breach made millions of Americans feel extraordinarily vulnerable.
More than 140 million Americans — that’s more than half the adults in the country, including more than 8 million New Yorkers — appear to have had their most sensitive personal information revealed. My office has already opened an investigation into exactly what happened.
The scale of this breach and the severity of the privacy invasion is shocking and completely unprecedented. But it was entirely predictable. It is in many ways merely an escalation in a disturbing trend of what I call mega-breaches. Last year, there were 1,300 significant data breaches in New York — up 60% from the year before.
These breaches are inexcusable, and we should not merely accept them as part of living in an online society. The Equifax breach risked millions of people’s ability to buy a home, start a business, even get a job.
As my office found in a report we released earlier this year, “Information Exposed: Historical Examination of Data Security in New York State,” hacking accounted for more than 40% of data security breaches in 2016.
We are all scared of hacking — and we should be. But it has become the bogeyman of data security. While it is definitely a major factor in the rising impacts of data breaches, it is not the only significant contributor.
This past year, employee negligence — a combination of inadvertent exposure of records, insider wrongdoing and the loss of a device or media — nearly tied hacking, accounting for 37% of breaches.
It doesn’t have to be this way. We can and must expect more from the companies that are entrusted with our personal data.
For several years, I have been pushing for a major overhaul of New York’s data security laws to finally bring them in line with the reality of our current threats. The Equifax breach gives even more urgency to that fight.
That’s why it’s essential for Albany to pass the New York Data Security Act, which seeks to incentivize companies to bolster their cyberdefenses and to provide common-sense data security guidelines for companies to meet.
First, all entities that collect or store private information would be required to have “reasonable” security measures to protect our information, a common legal standard that accounts for the size of the company and the type of information it keeps. A mom-and-pop hardware store should have far different “reasonable” security measures than a multinational credit reporting agency, for instance.
These measures should include administrative safeguards such as assigning responsibility for security to a particular employee; technical safeguards such as antivirus programs, and physical safeguards such as locks to protect physical areas where information is stored.
Second, the bill would update the definition of “private information” to include both biometric data and the combination of an email address and password. California has already done this, and New York’s failure to do so is a major shortcoming in our state’s protection of consumers.
Finally, the bill would provide a safe harbor to companies already subject to federal or other New York State regulations, and in compliance with those rules, so that they don’t need to worry about overlapping or conflicting requirements.
Similarly, companies that are certified for complying with leading industry data security guidelines would be presumed to have reasonable data security. If a company is earnestly and proactively attempting to protect its customers’ data, this safe harbor provides a major incentive for companies to boost their security.
These types of common-sense provisions are why my proposal has earned the support of important business groups like the Partnership for New York City and cybersecurity experts at major law firms. Yet for some reason, the state Senate has refused to bring it to the floor for a vote.
Our data systems are broken and, without common-sense reform, future breaches will only be bigger and more devastating.
We must see the Equifax breach as a spur to action. It is up to us to make our personal data safe.