Federal and State Governments Responds to Recent Data Breaches and Propose New Cybersecurity Laws

Over the past few months, major retailers and Internet content providers, like Target and Sony, have been victims of massive cyber-attacks resulting in the release of customer credit card data, private corporate e-mails, and copies of major motion pictures worth millions of dollars. Just a few weeks ago, Uber reported an attack on one if its databases that exposed approximately 50,000 drivers’ names and license numbers. Anthem, a health insurance plan provider, recently confirmed that its recent data breach puts millions of people at serious risk for identity and medical theft.

As a result of these increasing cyber-attacks, it comes as no surprise that the public’s attention has been ever more focused on the continued vulnerability of corporate data systems to malevolent hackers. In an attempt to address the public’s justified concern, President Obama recently proposed a new law that would require businesses to inform customers of data breaches and provide private companies the opportunity to share information with other companies and the government regarding possible threats.

Part of the proposal, titled the Personal Data Notification and Protection Act, would consolidate various state-level rules regarding consumer notification into a national standard. The law would require businesses to provide reasonable notice to customers affected by a breach within 30 days of the breach.[1] Such a requirement would apply to situations where first and last names are stolen in tandem with addresses, telephone numbers, birthdates, social security numbers, or e-mails.[2] Companies may overcome such requirements if they demonstrate to the Federal Trade Commission (“FTC”) that additional time is necessary to prevent further breaches, evaluate risks, or restore the integrity of the data system. Moreover, the new federal law would permit injunctions against companies or fines, but the largest liabilities will likely exist in civil actions between customers, business, and payment providers.

The federal government isn’t the only one taking action as a result of the latest increase in data breaches. In addition to the already existing New York State Information Security Breach and Notification Act, New York Attorney General Eric Schneiderman recently proposed many of the same changes to cybersecurity regulations.[3] Attorney General Schneiderman estimates that data breaches cost New Yorkers nearly $1.37 billion in 2013 alone. Not only would the New York proposal require customer notification in a similar manner to the federal proposal, but it would also “require stronger technical and physical security measures for protecting information...” Although the exact details of Schneiderman’s proposal have not yet been released, the proposed state regulation would allegedly also expand the definition of private information to include data such as email address and password.

While the degree, nature, and timing of cyber-attacks are difficult to predict, there are techniques that can be employed in order to prevent these cyber-attacks. Employers should review their Internet security policies and hone in on the risk factors that make them vulnerable to Internet hackers. Irrespective of these potential changes to the data security law, businesses should continue to improve the strength of their data security systems. Additional steps must be taken to protect corporate databases in order to prevent a massive amount of information from being leaked to the general public.

If you or your institution has questions or concerns about this topic and you would like further information, please email James G. Ryan at jryan@cullenanddykman.com or call him at 516-357-3750.

Thank you to Nathan Boone, an intern at Cullen and Dykman, for his assistance with this blog post.

[1] Personal Data Notification and Protection Act, Section 101(c), available at http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-data-breach-notification.pdf.

[2] Id. § 1(h).

[3] Press Release, A.G. Schneiderman Proposes Bill Strengthen Data Security Laws, Protect Consumers From Growing Threat Of Data Breaches, Attorney General Eric T. Schneiderman, http://www.ag.ny.gov/press-release/ag-schneiderman-proposes-bill-strengthen-data-security-laws-protect-consumers-growing.