New York Enacts Security Breach Legislation

New York Enacts Security Breach Legislation
Full Disclosure Now Required

Business and government institutions that maintain databases of customers and/or citizens’ personal information will be required to notify citizens if such information is compromised through a computer security breach, under the recently enacted the Information Security Breach and Notification Act. The legislation, which goes into effect on Dec. 5, also provides for enforcement measures, in the form of fines, for noncompliance.

The legislation was proposed in an effort to curb the burgeoning problem of identity theft, which last year affected many New York residents. According to statistics published by the Federal Trade Commission, New York state had the third-highest number of identity theft victims nationally in 2004, with only California and Texas ranking higher.

According to a report on Internet security threats published in September by antivirus software maker Symantec, between Jan. 1 and June 30, malicious code that exposed confidential information represented 74 percent of the top 50 malicious code samples, up from 54 percent the previous six months.

“Just in the last year, more than 9,000 New Yorkers were exposed to identity theft because of inadequate security and poor notification procedures. Until now, identity theft was often an unseen crime because companies and the government did not need to notify New Yorkers when their information was stolen,” said Assemblymember James Brenan (D-Brooklyn), who was the main sponsor of the Information Security Breach and Notification Act. “Now New Yorkers will be notified, which makes turning a profit off of identity theft that much harder.”

Specifically, the new law “requires any state agency or business which owns or licenses a computerized database which includes vulnerable personal information shall disclose any breach of security of such system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person,” according to a report published by the state assembly. The language of the act specifies that types of information that fall under its jurisdiction includes names of people or other identifying information plus a “social security number, driver’s license number or non-driver identification card number, or account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.”

Additionally, the new legislation requires that state entities notify the attorney general, state office of cyber security and critical infrastructure and the consumer protection board when such an event occurs.

The Security Breach and Notification Act also requires that consumer credit reporting agencies, such as Equifax and Experian, be notified when 5,000 or more New York residents are affected by such a breach.

Prior the new act’s passage, businesses that operated in New York were not legally obligated to notify private citizens if their personal data was stolen through a breach in computer security. After Dec. 5, businesses that do not report such breaches in security to affected citizens will face fines in the amount of the greater of $10 per instance of nonnotification or $5,000, not to exceed $150,000.

“If a person is not aware that he or she has been a victim of identity theft, then the damage done could be severe and irreversible. Prompt notification gives New Yorkers needed protections,” Brennan said.