NY Attorney General Proposes Not Terrible Cybersecurity Legislation
from the did-he-not-get-the-memo? dept
The state of New York wants to get in on all the cybersecurity fun the
kids legislators and intelligence officials are talking about these days. New York Attorney General Eric T. Schneiderman has announced his plan to introduce cybersecurity legislation this year, putting the state in the position to regulate data security and its citizens’ privacy.
Most legislation that includes the word “cyber” is nothing more than an excuse to give the government a larger piece of the action — generally by redefining the term “information sharing” to mean a one-way street of data collection running from private companies (and their customers) to various law enforcement and security agencies.
Schneiderman’s proposal seems to be more skewed towards actually increasing protections of companies and customers, rather than simply codifying additional government access. But before we start passing around high fives and popping champagne corks, it must be noted that not a single word of this has been put to paper yet (excluding the press release). At this point, it’s just a proposal for legislation. There’s no first draft to read and no indication what its interplay (amendments, etc.) with existing laws will entail.
That being said, most of what’s delivered in Schneiderman’s statement is mostly reasonable. Most of what’s being asked for should have already been in place (including additional restrictions on the sharing of medical data). Many companies (coughSONYcough) seem to treat their customers’ personal data as an afterthought — something that only deserves attention after it’s been Pastebinned for the world to see.
Expand Definition of Private Information- New York legislators should expand the definition of “private information” to include both the combination of an email address and password, and an email address in combination with a security question and answer, as California already has done. Additionally, the definition of private information should include medical information, including biometric information, and health insurance information.
Legislate Reasonable Data Security Requirement- All entities that collect and/or store private information should be required to have reasonable security measures to protect said information. These measures should include:
Administrative safeguards to assess risks, train employees and maintain safeguards.
Technical safeguards to (i) identify risks in their respective network, software, and information processing, (ii) detect, prevent and respond to attacks and (iii) regularly test and monitor systems controls and procedures.
Physical safeguards to have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored.
Certification- Entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.
Legislate a Safe Harbor to Provide an Incentive for a Heightened Level of Data Security– New York needs to incentive businesses to implement the most robust data security. To do so, New York should offer a safe harbor if a company adopts a heightened form of security. To comply, entities would be required to categorize their information systems based on the risk a data breach imposes on the information stored. Once information systems are categorized, a data security plan based on a multitude of factors would be implemented and followed. Once this standard is met, the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.
Overall, not terrible, with a couple of caveats. One: the government’s ability to protect itself from cyberattacks and other hacking ranges from less-than-adequate to abysmal. Considering its lack of self-awareness, it seems presumptive to put itself in the position of setting standards for data security. Sure, it could bring in actual experts in the field to craft these, but once legislators have had their say, what’s been recommended may only bear the faintest resemblance to what’s actually implemented.
Two: while the proposal helpfully expands the definition of “private information,” it fails to provide specifics about who can or can’t access this information. Any company could route around these restrictions with some fine print in its Terms of Service. And there’s nothing forbidding the acquisition of medical, biometric and insurance data by the state itself. In fact — and here’s where we head into the “fairly decent BUT” section” — the proposal lays the groundwork for one-way information sharing in the final paragraph.
Protection for Sharing Forensic Data- Finally, in the event of a data breach, New York should incentivize companies to share forensic reports with law enforcement officials. One way to accomplish this would be to make sure that the disclosure of a forensic report to a relevant law enforcement agency for the purposes of investigating those responsible for a data breach does not affect any privilege or protection. This would allow companies to feel comfortable with the free sharing of information while giving authorities a better chance at catching those responsible.
This is more sensible than other proposals as it looks to limit sharing of data to forensic data only. Then again, this is a proposal and, while all intentions are pure, it’s a long way from a finished product. When the bill finally hits the legislative floor, it’s very likely that this restrictive sharing will be loosened. Considering the panic that surrounds all things cyber-related — especially once some enterprising do-gooder tosses the word “cyberterrorism” into the mix — it’s going to take a very dedicated and obstinate person to shepherd this through with most of these protections still intact.
And someone’s still going to need to sell this additional layer of regulation to the companies it will affect — many of whom have some pull in the upper reaches of the government. They’re not exactly going to welcome the additional expense of implementing solid data security, even if they should have been on top of this since day one. The litigation safe harbor should make the pitch a bit more appealing, but again, it will take someone dedicated and tenacious to ensure the requirements aren’t watered down into uselessness on its way to the governor’s desk.