Healthcare Information Security

Cybersecurity News

Proposals Made for Improved State Data Breach Laws

New York and Vermont are two states looking to improve their state data breach laws in the wake of the widespread Equifax data breach.

state data breach laws may change to keep pace with technology

Source: Thinkstock

By Elizabeth Snell

- The large-scale Equifax data breach has pushed some states into creating more stringent state data breach laws, looking to close gaps in how sensitive consumer information is protected.

The Vermont House Committee on Commerce and Economic Development will hold hearings to discuss data privacy and security issues, according to a press release.  

“Representatives from the Attorney General’s Office, the Department of Financial Regulation, and the Office of Legislative Council will join the Committee in presenting a brief summary of current law and recommended responses to security breaches,” the Committee explained. “Members of the House of Representatives and the Senate have been invited to join the Committee at these hearings.”

“The Committee will hear from the public their questions, experience with breaches, concerns, and suggestions,” the statement continued. “This topic is a continuation of the Committee’s work last session, and of particular interest in light of current events in relation to the Equifax breach.”

Chittenden County Sen. Michael Sirotkin explained in a press conference that he is working on legislation to give Vermont residents new legal options should a similar incident happen in the future.

“What that means is that consumers will have a private right of action, if this bill passes, where they will be able to get their damages for their time and expense and their attorneys’ fees and the cost of repairing the problem,” Sirotkin said, reported Vermont Public Radio.  

New York Attorney General Eric T. Schneiderman also introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to the state legislature last week. Sponsored by Senator David Carlucci and Assemblymember Brian Kavanagh, the bill would require companies to adopt “reasonable” administrative, technical, and physical safeguards for sensitive data.

The bill’s definition of personal information that would require notification should it become breached includes information covered under HIPAA regulations, biometric data, and username-and-password combinations.

“New York's data breach notification law needs to be updated keep pace with current technology,” the bill’s summary explains. “This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information.”

Senator Carlucci said in a statement that New York is “woefully unprepared to protect against cyber attacks” and that it will act to protect New Yorkers “while the federal government drags their feet.”

Assemblymember Kavanagh added that data security practice deficiencies at big businesses have put millions of New Yorkers at risk.

“I am proud to work with Attorney General Schneiderman on this important legislation to require businesses to take appropriate steps to safeguard our data,” Kavanagh said in a statement. “In this technological age, we cannot allow companies to be careless with our personal information. I look forward to working with Senator Carlucci and our colleagues in the legislature to enact this bill into law.”

New York has been at the forefront of updating its data security and protection laws. In June 2016, proposed legislation included individuals’ medical information under its definition of personal information.

Senate Bill S5601 also stressed the importance of updating the state data breach law to keep pace with evolving technology, stating that the scope of information covered and the notification process need to change.

“Should a data breach occur in New York State, the Office of the Attorney General will post information about the breach on its' website and the Office of Information Technology Services shall deliver a report on the scope of the breach to the entity affected,” the bill states.

The Office of Information Technology Services will also need to develop and provide regular trainings to all entities on preventing data breaches.

If passed, S5601 would take effect on January 1, 2018. It is currently listed as being “In Committee” and was committed to rules on June 21, 2017. 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...