Last Wednesday, State Attorney General Eric Schneiderman announced that he has proposed a bill that is intended to protect New Yorkers against breaches of personal security data. The proposal comes in the wake of the Equifax breach in which the Social Security numbers of 143 million Americans were exposed.

The bill would impose a legal responsibility on businesses to adopt “reasonable” administrative, technical, and physical safeguards for sensitive data.  It would also expand the types of data that trigger reporting requirements to include username-and-password combinations; biometric data; and HIPAA-covered health data. It would also provide companies that obtain independent certification that their data security measures meet state standards with a “safe harbor” from state enforcement actions.

While protecting customer data is obviously extremely important, we are not sure that a state-specific data protection law is the right answer in an era where date crosses state lines so easily.   The United States has a patchwork of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another. Rather than add to that patchwork, state lawmakers should work with their federal counterparts to develop and implement a single, nationwide data protection standard.