New York Attorney General Eric Schneiderman is set Thursday to propose a bill that would raise reporting requirements for breached companies, The New York Times reported.
The proposal comes days after the White House offered its own data breach notification bill that would create a national standard for reporting requirements. Sen. Bill Nelson (D-Fla.) has said he will introduce a bill similar to the white House’s offering.
But state attorneys general have kept up the pressure as well this week. In addition to Schneiderman’s offering, 19 attorneys general on Wednesday pressed JPMorgan Chase for more information on its massive 2014 breach.
Thursday afternoon, Schneiderman will unveil his measure, expected to be one of the strictest in the nation.
Under current New York state law, companies are already required to notify consumers and employees following a data breach of private information. But Schneiderman on Thursday will offer an expanded definition of “private information.”
{mosads}“It’s long past time we updated our data security law and expanded protections for consumers,” Schneiderman told the Times.
The state’s current law mainly triggers reporting requirements when Social Security numbers, driver’s license information or credit card information are exposed. The new law would add on employee medical history, health insurance information and biometric data.
The bill would also give companies a degree of protection from civil lawsuits if they took steps to bolster their cyber defenses and cooperated with officials following a data breach.
“We are trying to find a way that businesses can pick up the phone and report an incident without feeling like law enforcement is breathing down their necks, while at the same time allowing us to do meaningful investigations and get to the root of why consumers weren’t adequately protected,” Schneiderman said.
Major data breaches at large companies like Target, Home Depot, Staples, JPMorgan and Sony Pictures Entertainment have spurred government action around the country.
States have been pressing companies to report on these breaches for some time. There are 47 state data breach notification laws.
Nineteen state attorneys general apparently weren’t satisfied with JPMorgan’s disclosures after its hack, which exposed the addresses, phone numbers and emails of 76 million households.
According to multiple reports, the group sent the bank a letter on Wednesday.
“This incident raises concerns about the security of our states’ residents’ private information in the hands of JPMC,” the group said in the letter, obtained by Bloomberg. “Further, critical facts about the intrusion remain unclear, including details concerning the cause of the breach and the nature of any procedures adopted or contemplated to prevent further breaches.”