Attorney General proposes to strengthen New York’s data security law

Attorney General proposes to strengthen New York’s data security lawNew York Attorney General Eric T. Schneiderman has announced proposals for new data security legislation that would “require new and unprecedented safeguards for the personal data of consumers.”

In a press release, the Attorney General said that:

“With some of the largest-ever data breaches occurring in just the last year, it’s long past time we updated our data security laws and expanded protections for consumers. We must also remind ourselves that companies can be victims, and that those who take responsible steps to safeguard customer data deserve recognition and protection. Our new law will be the strongest, most comprehensive in the nation.”

In the absence of a federal data breach notification law – unless the President’s proposed Personal Data Notification and Protection Act is passed – American organizations have to abide by a confusing salmagundi of security laws that vary from state to state.

New York’s current data breach law requires entities that conduct business in New York, and that own or license computerized personal information, to notify New York residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their computerized personal information. If more than 5,000 New York residents have to be notified of a breach, breached entities must also notify those consumer reporting agencies specified by the Attorney General.

Under AG Schneiderman’s new proposals:

  • The definition of personal information will be expanded to include: “both the combination of an email address and password, and an email address in combination with a security question and answer, as California already has done” as well as “medical information, including biometric information, and health insurance information.”
  • Companies will need to implement stronger administrative, technical, and physical security measures. Organizations that “obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.”
  • A safe harbor will provide an incentive for a heightened level of data security. “To comply, entities would be required to categorize their information systems based on the risk a data breach imposes on the information stored. Once information systems are categorized, a data security plan based on a multitude of factors would be implemented and followed. Once this standard is met, the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.”

ISO 27001

Organizations that conduct business in New York can comply with all of the new requirements by achieving certification to the international standard for information security management, ISO 27001.

ISO 27001 sets out the requirements of a best-practice information security management system (ISMS), an enterprise-wide approach to data security that encompasses people, processes, and technology. This risk-based approach exactly follows the requirement of the new safe harbor proposals, as set out above.

Moreover, organizations that achieve independent, accredited certification to the Standard will show “compliance with New York’s reasonable data security requirements”, which in turn will give them “a rebuttable presumption of having reasonable data security” for use in litigation. In the event of legal action following a data breach, ISO 27001-certified organizations could save considerable sums.

IT Governance ISO 27001 implementation solutions for all

IT Governance has led hundreds of ISO 27001 certifications around the world and has now developed a series of fixed-price ISO 27001 Packaged Solutions to allow organizations of all sizes, sectors, and locations to use IT Governance’s expertise to implement the Standard at a speed and for a budget appropriate to their individual needs.

There are five core packages: The BasicsDo It YourselfGet A Little HelpGet A Lot Of Help, and We’ll Do It For You, each of which provides a different level of support and resources. For a simple overview of the packages, and to see which one will suit your organization’s needs, please click here for more information >>ISO27001PackagedSolutions-banner