Michael Billok, Christopher Stevens, Clifford Tsan of Bond Schoeneck & King PLLC write:
A bill currently pending before the New York State Assembly (A10475) would make a number of significant changes to New York’s data breach notification statute (General Business Law Section 899-aa) in the event that it is passed and signed into law. The proposed legislation would: (i) expand the type of information that is considered ‘private information,’ the disclosure of which triggers notification requirements, (ii) require that additional information be contained in notifications sent to consumers after a breach, and (iii) more than double the maximum penalty for a failure to comply with the notification requirements.
Specifically, the proposed legislation would add biometric information (i.e. fingerprints), user name or e-mail addresses in combination with a password or security question answer, and protected health information (as defined by HIPAA) to the definition of “private information.” This is significant due to the fact that the disclosure of any “private information” triggers the notification requirements imposed by the statute. This change would bring New York law up to par with some of the most protective data breach statutes in the country.
Read more on JDSupra.