Stronger Data Security Laws Proposed by New York Attorney General
In step with President Obama’s proposed information security legislation, New York State Attorney General Eric T. Schneiderman has proposed an update to state legislation on consumer data and data breach notification laws, as eSecurityPlanet.com reports.
His proposal expands the definition of ‘private information’ to include:
- The combination of:
- Email addresses and passwords
- Email addresses, security questions and answers
- Medical information (including biometric)
- Health insurance information
What kind of effect does that have data breach notification laws in New York? Currently, state laws only require companies to notify breached consumers if their private information is breached. By widening the scope of the definition of ‘private information,’ the state is forcing companies to take greater responsibility when it comes to notifying and protecting consumer information.
In addition to broadening the definition of consumer information that needs to be protected, the state will also require stronger technical and physical security measures to protect data. To incentivize companies to adopt stronger security tools, the state will create a ‘safe harbor’ for those that meet certain security standards - stating that they could potentially be exempt from liability completely.
Other data regulatory entities have primarily adopted a penalty model to enforce adoption of stronger security measures, in which companies are fined if they’ve been breached and prevention was found to be possible (per compliance regulations). This is true for the healthcare industry, which is also subject to randomized audits conducted by the Dept. of Health & Human Services, and can be fined for noncompliance of HIPAA. See the HIPAA violation penalty tiers, below:
Other industries are also based on a business exclusivity model, meaning if a service provider doesn’t meet compliance or certification, they are unable to conduct business within the industry. For example, the retail, hospitality and services industries that deal with payment card data must meet PCI DSS compliance, and they must employ compliant vendors. If found in noncompliance, the major card issuers (Visa, Discover, American Express, MasterCard and JCB) may fine banks, which can, in turn, fine merchants, increase fees, or discontinue relationships with certain companies.
Data Breaches Increase; Hacking Increases
There’s a good reason why New York is pushing for stronger data security laws. A report issued by the N.Y. AG found that in a seven-year period from 2006-2013, 22.8 million records of resident New Yorkers were exposed in almost 5,000 breaches - more than tripling in amount. The cost of the data breaches spread across the public and private sectors, resulting in a hit of $1.37 billion in 2013.
The report also found that hacking was the leading cause of security incidents, accounting for about 40 percent of all breaches. In a similar type of statewide data breach report, the California State Attorney General found that hacking and malware accounts for 93 percent of the total records breached, which amounted to a staggering 18.5 million records breached (up 640 percent from the previous year). Learn more in California Breaches Increase 30 Percent in 2014; 84 Percent Retail.
Another data security effort by the state includes making e-prescriptions mandatory by March 27, 2015; a move that also requires pharmacies, practitioners and software vendors to meet the Electronic Prescriptions for Controlled Substances (EPCS) standards established by the U.S. Drug Enforcement Administration (DEA).
The security guidelines were outlined in efforts to cut down on prescription drug theft and bolster identity and authentication security. One of those ‘identity-proofing’ requirements is the use of two-factor authentication to ensure that the person who is signing the prescription is actually authorized to do so. Learn more in Securing E-Prescription Applications & Identity-Proofing.
The state’s move towards greater data security legislation comes at a time of greater information security awareness across the mainstream and mass media, with the recent breach of entertainment giant Sony Pictures, and a year of colossal retail data breaches.
The White House is continuing its efforts in security legislation and awareness by holding a one-day Cybersecurity Summit hosted at Stanford University on February 13 in efforts to increase security information sharing, security practices and technologies, and improving secure payment adoption and technology as part of the BuySecure initiative.
Find out more about data breach legislation in:
A Medley of State Healthcare Data Laws: Insurance Encryption & 2FA for E-Prescriptions
New Federal InfoSec Initiatives; CENTCOM Social Media Hacked