Golden bill would force businesses to reveal security breaches

October 6, 2014 By Paula Katinas Brooklyn Daily Eagle

State Sen. Marty Golden says his bill would protect consumers in cases where hackers breach online store security.

Share this:

State Sen. Marty Golden says he will continue to push for passage of legislation he introduced to protect the privacy of New Yorkers from online hackers. Golden said, among other things, his bill would require rapid notification of any breach of email accounts or credit cards and enforce penalties against the owners of email and web services when breaches occur.

The bill, which Golden originally introduced in May, is called the New York State Online Privacy Act.

Golden said he is troubled by the recent news that security at Home Depot and Target was compromised by hackers who jeopardized the privacy of millions of customers; 40 million security cases were compromised at Home Depot and 70 million at Target.

The Wall Street Journal reported in August that the U.S. Department of Homeland Security estimated that more than 1,000 businesses across the country had been infected with malware that is programmed to siphon credit card information from cash registers in stores. The agency urged business owners to check their security systems, according to the Journal report.

“Now more than ever, after what have been almost weekly reports of breaches of the online privacy and security of our people, we need to create enforceable standards for privacy and confidentiality for our citizens when they are online,” Golden (R-C-Bay Ridge-southwest Brooklyn) said.

“This bill does that by providing that, except under strictly-defined situations, personally identifiable information cannot be released except with the permission of the user who provided that information, and it establishes a requirement that operators of websites and online services establish and show to users their privacy policies and notify them in the case of a breach of security that compromises the integrity of the information. It also establishes appropriate penalties for violations,” Golden said.

The bill would apply to all commercial email, online and web services but not to non-commercial websites or services. It would also not apply to the state or federal government, or financial institutions that adopt safeguards complying with existing federal laws.

Among its provisions, the New York State Online Privacy Act would create an Office of Privacy Protection to provide oversight, information, referral and enforcement of the privacy laws. The commissioner of the new office would be confirmed by the state senate and report directly to the governor.

The bill would require a publicly-posted privacy policy for websites and online services that is accessible on the first page of a site or easily accessible by email.

Companies that fail to notify the Office of Privacy Protection of security breaches would face penalties, Golden said.

Golden is also seeking the creation of a new breach alert system in the state’s Office of Information Technology Services.