New York AG Proposes 'Strongest' Data Security Law in U.S.

Updated on
Photographer: Tim Robberts

New York Attorney General Eric Schneiderman proposed what he called “the strongest” data security law in the nation to combat an increase in the theft of personal information online, including a breach at JPMorgan Chase & Co.

Schneiderman plans to propose a bill to legislators in Albany to expand the definition of private information to include e-mail addresses in combination with passwords or other data that would permit access to online accounts. It would also require companies that store information to have security measures in place, the attorney general said in a statement yesterday.

“It’s long past time we updated our security laws and expanded protections for consumers,” Schneiderman said. “Our new law will be the strongest, most comprehensive in the nation.”

Almost all states, including New York, have laws in place requiring companies to notify consumers when sensitive data is breached, according to the National Conference of State Legislatures. Most of those laws are designed to protect only certain kinds of personal data such as Social Security numbers and driver’s license or state identification numbers, according to the organization.

Schneiderman’s bill proposal followed President Barack Obama on Jan. 13 calling for new laws requiring companies to disclose instances when they’ve been hacked and preventing companies from profiting from student data. Obama’s proposal came after breaches at Sony Corp.’s entertainment unit and Target Corp.

Federal Mandate

While there are some industry-specific regulations, there is currently no general federal mandate requiring notification when consumers’ data is breached.

A group of 19 attorneys general including Schneiderman are seeking more information by Jan. 23 from JPMorgan about its breach, including whether any of the compromised information has been connected with fraud, according to a letter dated Jan. 8, which was obtained by Bloomberg News.

The group pressed for “any vulnerability exploited in connection” and the company’s efforts to probe and mitigate the damages, according to the letter.

“This incident raises concerns about the security of our states’ residents’ private information in the hands of JPMC,” the group said in the letter. “Further, critical facts about the intrusion remain unclear, including details concerning the cause of the breach and the nature of any procedures adopted or contemplated to prevent further breaches.”

JPMorgan, the biggest U.S. bank, said in October that a data breach by hackers affected 76 million households and 7 million small businesses, with customer names, addresses, phone numbers and e-mail details taken.