November 6, 2017 -
New York Attorney General Eric Schneiderman is calling on the state to implement its first-ever measures to protect biometric data collected by employers and businesses from cyber attacks, according to a report by Times Union.
Schneiderman introduced a proposed law that would add biometric data to updated state protections aimed at a growing number of high-profile computer hacks of confidential personal data kept by businesses on their customers.
Appropriately titled “Stop Hacks and Improve Electronic Data Security,” the law would apply to any businesses that obtain digital and biometric information from their employees, such as companies that use fingerprint-based timekeeping systems to record employees’ work hours.
“It’s clear that New York’s data security laws are weak and outdated,” said Schneiderman, who previously proposed stricter data laws in 2015 that failed to gain approval in the state Legislature. “It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl.”
Though current state law impose data security and reporting requirements on companies if hacked personal data is linked to Social Security numbers, companies do not have to report breaches that involve username-and-password combinations, or biometric data.
The Attorney General’s office received a record 1,300 data breach notifications in 2016, which is a 60 percent increase over 2015.
The proposed law would require companies to implement “reasonable” administrative, technical, and physical security measures for sensitive data, as well as report breaches on other types of data, such as confidential health data.
The law could also provide legal liability protection to companies that prove to the state that they have adopted strong security measures to safeguard sensitive data against hacks, while exposing companies with weak security to potential penalties and legal action from the Attorney General.
These requirements would be less strict for small businesses with less than 50 employees.
Zack Hutchins, a spokesman for Albany lobbying group The Business Council, expressed concerns about the rising number of cyberattacks by criminals looking to steal personal data.
He said imposing less rigid standards on small business seems logical, but is unsure how part of the proposed law —which would require businesses, regardless of where they are located, to report any data they collect on New Yorkers — could be implemented.
The bill is being sponsored by state Sen. David Carlucci, a Democrat from Rockland County, and Assembly member Brian Kavanagh, a Democrat from Manhattan.
“Identity theft is no longer a vague worry that might impact someone we know; the Equifax scandal has made it a threat to each of us,” AARP New York State Director Beth Finkel said.
Previously reported, several states across the nation are looking to adopt Illinois’ biometrics privacy law as more organizations deploy biometric technology in various applications, and as the courts continue to figure out the potentially costly effects of the law’s mandates on businesses.