In February this year, State Sen. Michael Venditto introduced a new bill – Senate Bill S6834A – that proposes changes to state legislation covering breaches of electronic protected health information and other sensitive personal data. The bill is now being considered by the Consumer Protection Committee.
If passed, the bill will give more responsibilities to New York’s Office of Information Technology Services following any data breach that affects state residents. Changes have also been proposed to broaden the definition of personal information to include consumers’ biometric data, data classed as PHI under Health Insurance Portability and Accountability Act (HIPAA) Rules, and email addresses along with passwords and/or security questions and answers.
Current state legislation requires organizations to notify a number of entities of a breach of personal information including the state attorney general and the Department of State. State Police must also be notified, although the new bill would substitute the state’s IT department in place of the state police.
The Department of State would also be tasked with receiving and responding to complaints about data breaches, and will also be required to provide information to the public about how best to respond to data security breaches as well as provide information on data security best practices to prevent a data breach.
If the bill is passed, the time frame for responding to breaches of personal information and issuing notifications to affected individuals will be a maximum of 90 days, although notifications should be issued “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
The bill would also authorize organizations to notify consumers of a breach of personal information via email, although in the event of a compromise of email addresses, alternative electronic means of communicating with consumers would be permitted.
In addition to the above changes, the new bill proposes an increase in the financial penalties that can be issued to entities that fail to comply with the new data breach notification regulations. Currently, organizations can be fined $10 per instance of failed notifications or $5,000, whichever is the greater, up to a maximum of $100,000. The new bill proposes that the penalties be increased to £20 per instance, or $5,000, whichever is the greater, up to a maximum of $250,000
If passed, the new legislation will come into effect on January 1, 2017.