NY AG Calls for Safeguards on Biometric Data

The state legislation would update existing law to include personally identifiable information like fingerprints and eye and facial patterns.

by Brian Nearing, Times Union / November 3, 2017
Shutterstock

(TNS) -- The state should take its first-ever measures to protect biometric data collected by employers and businesses — which is based on personal characteristics like fingerprints, eyes and facial patterns — from computer hacking, Attorney General Eric Schneiderman said Thursday.

Schneiderman introduced a proposed law that would add biometric data to updated state protections aimed at a growing number of high-profile computer hacks of confidential personal data kept by businesses on their customers.

Named the "Stop Hacks and Improve Electronic Data Security," the law also would apply to any businesses that collect such digital and biometric information on their employees, such as companies that use fingerprint-based systems to manage employees' work hours.

"It's clear that New York's data security laws are weak and outdated," said Schneiderman, who had proposed tougher data laws in 2015 that did not gain approval in the state Legislature.

"It's time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl," he said.

Current state law sets data security and reporting requirements on companies if hacked personal data is linked to Social Security numbers. But companies are not required to report breaches that involve username-and-password combinations, or biometric data.

In 2016 alone, the Attorney General's office received a record 1,300 data breach notifications, representing a 60 percent increase over the previous year. The recent breach at the Equifax credit history reporting service could have compromised financial records of more than eight million New Yorkers.

Schneiderman's proposal would require companies to adopt "reasonable" administrative, technical, and physical safeguards for sensitive data, and report breaches on these other types of data, including confidential health data.

The law could also provide legal liability protection to companies that show the state that strong protective measures were taken to guard against hacks, while exposing firms that had weak security to potential penalties and legal action from the Attorney General.

Such requirements would be less strict for small businesses with fewer than 50 employees.

Zack Hutchins, a spokesman for The Business Council, an Albany lobbying group for businesses, said they are "very concerned" about a growing number of cyberattacks by criminals seeking personal data.

He said allowing looser standards for small business makes sense, but questioned how part of the proposed law — which would require reporting by any business, regardless of its location, that has data on New Yorkers — could be implemented.

The bill is being sponsored by state Sen. David Carlucci, a Rockland County Democrat, and Assembly member Brian Kavanagh, a Democrat from Manhattan.

AARP New York State Director Beth Finkel said, "Identity theft is no longer a vague worry that might impact someone we know; the Equifax scandal has made it a threat to each of us."

©2017 the Times Union (Albany, N.Y.) Distributed by Tribune Content Agency, LLC.