Key takeaways

• New York Attorney General Eric Schneiderman has announced a proposal to broaden New York’s breach disclosure requirements and require that all businesses, breached or not, adopt “reasonable” cybersecurity measures.
• The proposal is part of a trend, both in the U.S. and globally, towards requiring that businesses have “reasonable security” in place, including dedicated internal data security programs, risk assessments, and regularly tested technical and physical safeguards.
• This new proposal may not become law, but it still matters. The New York AG regularly brings enforcement actions, and his proposal closely resembles requirements advanced by other states and federal agencies.