On January 15, 2015, New York Attorney General Eric Schneiderman indicated that he plans to propose legislation to update New York’s information security laws, including by revising the definition of “private information” under the state’s data security breach notification statute. Schneiderman’s proposal comes on the heels of President Obama’s January 13, 2015, unveiling of measures further to his 2011 Cybersecurity Legislative Proposal, including a plan to create a national data breach notification standard aimed at “simplifying and standardizing the existing patchwork of … state laws … into one federal statute.”
Notably, Attorney General Schneiderman’s proposed changes to New York’s security breach notification law would expand the definition of “private information” to encompass:
- email addresses (in combination with either the password or security question and answer);
- medical information (including biometric information); and
- health insurance information.
If such an amendment were to pass, New York would become one of only a handful of states that include email account information and/or medical information in their security breach notification law definitions of personal information. President Obama’s proposed national breach notification standard also would provide protection for these types of information.
In addition to his proposed changes to the breach notification law, Schneiderman announced that he will push for legislation (1) requiring companies to implement data security safeguards to protect consumer information; (2) creating a “safe harbor” from liability for companies that meet certain information security standards; and (3) incentivizing data sharing with respect to breach-related forensic reports by ensuring that disclosing such reports to law enforcement authorities “does not affect any privilege or protection.”
Schneiderman will need sponsors in the New York State legislature to introduce a bill that would advance his agenda, but reports indicate he’s likely to find bipartisan support for the proposals. It remains to be seen whether President Obama’s national data breach notification standard would supersede the myriad existing state laws requiring notification of security breach incidents affecting personal information, particularly with respect to state laws that arguably may be more stringent than the final version of the federal statute.