The Business Council opposes A.10475-A (Dinowitz)/S.6834-B (Venditto) which broadens the scope of information covered under the notification provisions regarding security breaches.
The bill expands the definition of personal information to include biometric information; user name or email addresses and HIPPA generated information. The bill also defines credit and debit cards and then requires the issuers to notify customers of the breach of security prior to the actual issuance of replacement cards. This language is unclear as to what is accomplished and what new obligations are being placed on the issuers of cards. If a breach occurs that compromises a card issued by a financial institution current law provides the requirements for issuance. However if the breach occurs at the merchant level, the obligation lies with the merchant to notify the customer of the breach and not the issuer of the card. The notification does not clarify but rather muddles the process as the companies manage the breach.
In addition, the bill would essentially mandate a media campaign requiring companies to alert the media of data breaches. Debit and credit cards definitions as articulated in the bill are also problematic and confusing, as are the various convoluted mandatory notifications of numerous state agencies that, in turn, will disseminate the information provided by companies to even more state agencies creating a massive data bureaucracy running the risk for even further data breaches. For example, it requires the Department of State to receive complaints relating to any breach of security – it is unclear then what “appropriate referrals” the agency would be necessary given the notice requirements in the previous subsection 8; and how any additional information relating to how to respond to a breach or “best practices” would mesh with the specific requirement already imposed by this section of law. It also increases the penalty provisions as well as setting an effective date that would be a challenge to meet.
For the reasons stated above, the Business Council opposes A.10475-A (Dinowitz) /S.6834-B (Venditto).