ALBANY — New York Attorney General Eric T. Schneiderman is proposing a bill that he said will protect New Yorkers against breaches of personal security data, as in the Equifax breach in which the Social Security numbers of 143 million Americans were exposed.
Schneiderman told Newsday his proposed SHIELD Act is needed because under current law, there are few, if any, data security requirements for companies as long as the personal information they handle doesn’t include Social Security numbers.
“It’s clear that New York’s data security laws are weak and outdated,” Schneiderman said. “The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl.”
Schneiderman is scheduled to announce details of the bill Thursday in Manhattan.
The Democrat has the support of two major sponsors in the State Legislature: Sen. David Carlucci (D-Clarkstown) of the Independent Democratic Conference and Assemb. Brian Kavanaugh (D-Manhattan), who lead their chamber’s consumer protection committees.
Equifax, a major credit bureau, was hacked to access personal information between May and July, including Social Security numbers, birth dates and addresses. Such data could be used to steal identities that could be used to make unauthorized charges on credit cards.
The proposed legislation also would empower the attorney general to sue companies that don’t adequately provide security for the data they handle and broaden the information companies must provide to consumers when there is a data breach, according to Schneiderman, a former state senator.
But Schneiderman said the measure also includes provisions to ease burdens on businesses and avoid forcing companies to adhere to duplicate regulations, while providing an incentive to certify that companies comply with safety precautions.
The bill would allow companies that can prove adequate compliance through state and federal regulators to be “certified compliant entities” that wouldn’t be subject to enforcement actions by the attorney general’s office under the measure.
In addition, Schneiderman’s bill would provide provisions to make it easier for small businesses employing fewer than 50 people with less than $3 million in gross sales to meet the requirements.