On April 8, Bill No. A06866, sponsored by Assemblyman Jeffrey Dinowitz (D-Bronx) was introduced in the New York State Assembly.

The bill would amend the General Business Law to add a new section, 899-BB, that would require persons and businesses that conduct business in New York State and own or license computerized data which includes "private information" of a New York State resident, to "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity" of the information, including data disposal.

The bill specifies various safeguards that will be deemed to be in compliance with the reasonable safeguards requirement, such as compliance with Gramm-Leach-Bliley regulations by a business subject to those regulations; compliance with current ISO Standards for Information Security; and compliance with current NIST standards.  Compliance could also be based on a program that includes "administrative safeguards," "technical safeguards," and "physical safeguards," all of which are generally described.

The act would confer a rebuttable presumption of safeguards adequacy on businesses that get an annual audit and certification by an independent third-party licensed insurer subject to regulation by the New York State Department of Financial Services.

There is also a safe harbor for businesses that comply with the most up-to-date version of NIST Special Publication 800-53.

If compliance with that standard is certified annually by an independent third-party licensed insurer authorized by the NIST, the business is immune from liability in any civil action resulting from a data breach, including an action brought by the New York Attorney General.

The bill was introduced after Attorney General Eric Schneiderman recently urged the Legislature to adopt a comprehensive data security law.  The new section would be enforced by the Attorney General, who may, on behalf of the People, recover consequential financial damages and a civil penalty of up to $250 for each person whose information was compromised, up to $10 million.  Knowing or reckless violations are subject to a maximum civil penalty of $50 million or three times the aggregate amount of any actual losses.  Furthermore, "a court may award a civil penalty... without a showing of financial loss."

If passed, the act would take effect January 1, 2016.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.