On January 15, 2015, NY Attorney General A.G. Schneiderman announced that he would propose legislation that will impose new data security standards to protect personal information, broaden the scope of information subject to existing breach notification laws,
and encourage companies to meet highest standards for data protection.
Currently, New York State does not have a law requiring entities to institute data security measures to protect consumer information. Moreover, in the event of a data breach, pursuant to NY Gen. Bus. L. §899-aa, companies are merely required to notify affected individuals if “private information” is compromised. The protection is not strong because by “Private information” the statute means
personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: (1) social security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; “Private information” does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records.
More information is available at http://www.ag.ny.gov…