Eric Schneiderman for Attorney General

“Albany Times Union: Schneiderman Proposes Legislation in Response to Equifax Hack”

November 2, 2017

As published by The Albany Times Union, on November 2, 2017.

State Attorney General Eric Schneiderman is pushing new legislation introduced this week to tighten state data security laws in the wake of the Equifax breach earlier this year.

The bill would require companies that deal with New Yorkers’ sensitive data, no matter where they are headquartered, to adopt “reasonable” administrative, technical and physical protections for data. The data covered under law would be expanded to include biometric data, such as fingerprints used to unlock an iPhone; username and password combinations; and health data covered under federal privacy laws.

The Equifax breach exposed the sensitive personal information of 143 million Americans and led to the theft of credit card numbers for roughly 209,000 people, according to the Federal Trade Commission.

Under state law, companies must meet data security requirements only if the personally identifying information they hold contains a social security number, according to Schneiderman’s office.

The bill would allow the attorney general to seek civil penalties against companies found to have inadequate security. It also would expand reporting requirements to include notification of breaches of the additional types of data, as well as disclosing instances when hackers view private data even if they aren’t able to download the information.

The bill includes flexible standards for small businesses with less than 50 employees and less than $3 million in gross revenue or $5 million in assets, according to Schneiderman’s office. For those companies, the new requirements would be tailored to be “appropriate to the small business’s size and complexity.”

“It’s clear that New York’s data security laws are weak and outdated,” Schneiderman said in a statement. “The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl.”

Schneiderman’s bill is sponsored by Assemblyman Brian Kavanagh, D-Manhattan, and state Sen. David Carlucci, D-Rockland County.

In September, Gov. Andrew Cuomo’s administration proposed new regulations that would require credit reporting agencies to register with the state, subjecting them to strict cybersecurity standards.

Under the Schneiderman bill, companies that already are regulated by and compliant with existing or future federal or state regulations, including those from the Department of Financial Services, would be deemed compliant with the law’s reasonable security requirement.

Certain “certified compliant entities” with independent certification of compliance with government data security regulations would be granted “safe harbor” from enforcement actions by the attorney general, assuming there is no evidence of willful misconduct, bad faith or gross negligence.