The recent spate of cyber attacks and data breaches has spurred a flurry of activity at the state and federal levels. New York Attorney General Eric Schneiderman announced on January 14, 2015 that his office will introduce a bill that, should it become law, would be one of the strongest consumer data protection provisions in the country. Two days earlier President Obama, in an address at the Federal Trade Commission, stated that his administration would introduce national data breach response legislation and a Privacy Bill of Rights.
Attorney General Schneiderman’s proposal would significantly expand the types of data protected by state law and subject to breach notification requirements. The bill, as yet untitled, would require organizations to implement cybersecurity safeguards for biometric data, medical history, health insurance information and health insurance information. Breach notification would be required for unauthorized disclosures of email addresses and passwords. This bill, the Attorney General said, goes well beyond the existing provision, New York General Business Law Sec. 899-aa, which mandates notification only for disclosures of a person’s Social Security number, driver’s license number or credit card information. In an article published by The New York Times (available here), the Attorney General said the time had come for an updated provision because the old law has become, in light of the recent wave of breaches and attacks, “outdated and toothless.” The bill will also provide for a limited affirmative defense to or “safe harbor” from litigation as a result of a breach if the subject organization has met certain requirements in the statute. The extent of that defense will be determined following the arduous negotiation that is part of any legislative process.
“Arduous” does not begin to describe the uphill climb the president’s bill may face in the new Congress. While the full text is also not yet available, reports indicate that the bill will require notification of a breach within thirty days of discovery. “Discovery” has yet to be defined and it is unclear to what extent the bill, if it becomes law, would preempt strong state notification laws such as those in California and New York. Enforcement of the provisions of the Privacy Bill of Rights may comprise a private right of action, but the new Congress may well limit redress to complaints to the Federal Trade Commission (FTC). Yet, with the FTC engaging in greater enforcement activity in cybersecurity matters in recent months to the dismay of certain interest groups, even limiting redress to the FTC may meet strong headwinds in Congress.
Upon their publication, we will discuss the texts of both bills in a future blog post. If you have questions regard these proposals, cybersecurity compliance of breach response, please contact Kenneth N. Rashbaum.