NY Attorney General Proposes Not Terrible Cybersecurity Legislation

from the did-he-not-get-the-memo? dept

The state of New York wants to get in on all the cybersecurity fun the kids legislators and intelligence officials are talking about these days. New York Attorney General Eric T. Schneiderman has announced his plan to introduce cybersecurity legislation this year, putting the state in the position to regulate data security and its citizens' privacy.

Most legislation that includes the word "cyber" is nothing more than an excuse to give the government a larger piece of the action -- generally by redefining the term "information sharing" to mean a one-way street of data collection running from private companies (and their customers) to various law enforcement and security agencies.

Schneiderman's proposal seems to be more skewed towards actually increasing protections of companies and customers, rather than simply codifying additional government access. But before we start passing around high fives and popping champagne corks, it must be noted that not a single word of this has been put to paper yet (excluding the press release). At this point, it's just a proposal for legislation. There's no first draft to read and no indication what its interplay (amendments, etc.) with existing laws will entail.

That being said, most of what's delivered in Schneiderman's statement is mostly reasonable. Most of what's being asked for should have already been in place (including additional restrictions on the sharing of medical data). Many companies (coughSONYcough) seem to treat their customers' personal data as an afterthought -- something that only deserves attention after it's been Pastebinned for the world to see.

Expand Definition of Private Information- New York legislators should expand the definition of “private information” to include both the combination of an email address and password, and an email address in combination with a security question and answer, as California already has done. Additionally, the definition of private information should include medical information, including biometric information, and health insurance information.

Legislate Reasonable Data Security Requirement- All entities that collect and/or store private information should be required to have reasonable security measures to protect said information. These measures should include:

Administrative safeguards to assess risks, train employees and maintain safeguards.

Technical safeguards to (i) identify risks in their respective network, software, and information processing, (ii) detect, prevent and respond to attacks and (iii) regularly test and monitor systems controls and procedures.

Physical safeguards to have special disposal procedures, detection and response to intrusions, and protect the physical areas where information is stored.

Certification- Entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.

Legislate a Safe Harbor to Provide an Incentive for a Heightened Level of Data Security– New York needs to incentive businesses to implement the most robust data security. To do so, New York should offer a safe harbor if a company adopts a heightened form of security. To comply, entities would be required to categorize their information systems based on the risk a data breach imposes on the information stored. Once information systems are categorized, a data security plan based on a multitude of factors would be implemented and followed. Once this standard is met, the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.
Overall, not terrible, with a couple of caveats. One: the government's ability to protect itself from cyberattacks and other hacking ranges from less-than-adequate to abysmal. Considering its lack of self-awareness, it seems presumptive to put itself in the position of setting standards for data security. Sure, it could bring in actual experts in the field to craft these, but once legislators have had their say, what's been recommended may only bear the faintest resemblance to what's actually implemented.

Two: while the proposal helpfully expands the definition of "private information," it fails to provide specifics about who can or can't access this information. Any company could route around these restrictions with some fine print in its Terms of Service. And there's nothing forbidding the acquisition of medical, biometric and insurance data by the state itself. In fact -- and here's where we head into the "fairly decent BUT" section" -- the proposal lays the groundwork for one-way information sharing in the final paragraph.
Protection for Sharing Forensic Data- Finally, in the event of a data breach, New York should incentivize companies to share forensic reports with law enforcement officials. One way to accomplish this would be to make sure that the disclosure of a forensic report to a relevant law enforcement agency for the purposes of investigating those responsible for a data breach does not affect any privilege or protection. This would allow companies to feel comfortable with the free sharing of information while giving authorities a better chance at catching those responsible.
This is more sensible than other proposals as it looks to limit sharing of data to forensic data only. Then again, this is a proposal and, while all intentions are pure, it's a long way from a finished product. When the bill finally hits the legislative floor, it's very likely that this restrictive sharing will be loosened. Considering the panic that surrounds all things cyber-related -- especially once some enterprising do-gooder tosses the word "cyberterrorism" into the mix -- it's going to take a very dedicated and obstinate person to shepherd this through with most of these protections still intact.

And someone's still going to need to sell this additional layer of regulation to the companies it will affect -- many of whom have some pull in the upper reaches of the government. They're not exactly going to welcome the additional expense of implementing solid data security, even if they should have been on top of this since day one. The litigation safe harbor should make the pitch a bit more appealing, but again, it will take someone dedicated and tenacious to ensure the requirements aren't watered down into uselessness on its way to the governor's desk.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, eric schneiderman, new york, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 21 Jan 2015 @ 4:01pm

    Vaporware announcement

    ... not a single word of this has been put to paper yet...
    Vaporware.
     

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 21 Jan 2015 @ 4:18pm

    Actually protecting the citizens? Giving them even a sliver of a right? Some degree of checks and balances? What a heretic!

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 21 Jan 2015 @ 4:51pm

    Private Information

    "Private Information" should be defined as any information that can be mapped to an individual or device.

    Any access to private information should require explicit informed consent and opt-in.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 21 Jan 2015 @ 6:06pm

    Almost none of that will remain intact. Obamacare is busy passing data to 3rd party dataminers such as Doubleclick to name one of many.

    http://bigstory.ap.org/article/31490a20926d4ed3b98ff2d0ed8fc81d/new-privacy-concerns-over-government s-health-care-website

    Then you have the NSA busy using the very malware this bill is talking about protecting businesses from for it's own purposes of hiding it's actions.

    http://www.computerworld.com/article/2872292/nsa-secretly-uses-scapegoats-data-mules-and-innocent-vi ctims-pcs-for-botnets.html

    All of which makes mockery of the idea of privacy and security.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 21 Jan 2015 @ 9:35pm

    This is a call for funding proposals

    Translation:

    "I'm interested in raising money from people on all sides of this issue, and I'm soliciting bids for who gets to write the legislation for me."

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 22 Jan 2015 @ 1:43am

    may not be terrible atm, but the future can change things!

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 22 Jan 2015 @ 4:59am

    How will "forensic data" be defined s we've seen in the past the Government has a different dictionary I think "Definition According to (Dictionary name)" should be included in all new legislation.

    link to this | view in thread ]

  8. icon
    GEMont (profile), 23 Jan 2015 @ 4:18pm

    Re:

    Now this is exactly the kind of thing that is creating the driving force behind the removal of anonymity and free access to the web.

    If it wasn't for the vast incomes the crooks in the halls of power were pulling in monthly from their gambling and porno sites, the web would have been ID-card-holders only, years ago.

    Good work, BTW. :)

    ---

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.