New York Attorney General Eric Schneiderman is proposing an "overhaul [of] New York's data security law [that would] require new and unprecedented safeguards for the personal data of consumers." The proposal would create new data security requirements for businesses and would expand the types of information covered by New York's data breach notification statute. Although the text of a draft bill has yet to be released, this announcement highlights the changing legal environment expected in the coming year for companies related to cybersecurity.

The Attorney General’s far-reaching proposal would first expand the definition of “private information” under New York’s data breach notification statute. The law currently requires companies to notify New York consumers of any unauthorized access to the consumers' Social Security numbers, driver’s license or state identification card numbers, or account numbers and any security information required to access the accounts. As announced, the Attorney General seeks to broaden the definition of “private information” to include:

• An e-mail address combined with a password
• An e-mail address combined with any necessary security question and answer
• Medical information
• Biometric information
• Health insurance information

The proposal would also require companies that collect or store private information to take “reasonable security measures” to protect that information from unauthorized access. As announced, companies collecting or storing private information would be required to have:

• Administrative safeguards, which would presumably include data security policies and procedures and employee training
• Technical safeguards to regularly assess, detect, prevent, and respond to risks in the company’s networks, software, and information processing systems
• Physical safeguards to prevent intrusions, protect areas where information is stored, and ensure that media containing private information are properly disposed of

If the proposal is enacted, New York would become the latest of several states to require that companies have reasonable data security measures in place to protect consumers’ information. While the announcement states that the above requirements would apply to all companies collecting or storing private information, the Attorney General is also proposing the creation of a litigation safe harbor for companies adopting a “heightened” level of security. This would require companies to classify data based on risk and to implement individualized data security plans for each level of risk.

After a company was certified by an independent third party as meeting the heightened standard, the company would be entitled to a rebuttable presumption that it had reasonable data security practices should it face litigation due to a data security incident. To encourage companies to share forensic data about potential data incidents with law enforcement, the proposal stipulates that such disclosures would not waive any applicable attorney-client or work product privileges.

The proposal has yet to be introduced in the New York State Legislature. It demonstrates, however, that state breach and data security requirements are in flux and companies should be aware of the latest developments and requirements, especially in states such as New York where a stringent cybersecurity regime could quickly become the new national standard. Monitoring new statutory and regulatory security requirements should be a part of every company’s data security policies and procedures.