Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

07:15 AM

New York Crackdown

Attorney general demonstrates that Empire State won't tolerate slow disclosure of security leaks

For every 100 data breach incidents, only about eight or 10 are disclosed beyond the walls of the corporation. Sometimes they are swept under the rug, and people who might be affected are never told. Sometimes, there is notification, but it happens much later than expected.

Now, however, there may be penalties for such non-disclosure behavior. A week ago, New York Attorney General Andrew Cuomo made it clear that his office takes enforcement of New York’s disclosure law seriously: He took action against a company that waited seven weeks to notify authorities of a data breach incident. (See NY Gets First Settlement Under Breach Notification Law.)

In 2005, New York became the 19th state to follow Calif.'s lead and enact a data breach disclosure law. The New York law requires any business that maintains private information -- such as Social Security numbers, drivers’ licenses, or credit/debit card information -- to notify the data's owners of any security breach "immediately following discovery." The business also must notify all affected consumers in the "most expedient time possible," the law says.

Why did the New York AG’s office get involved in this particular case? CS STARS LLC, a Chicago-based claims management company, failed to notify approximately 540,000 New York consumers that their personal information was at risk for seven weeks.

On May 9, 2006, a laptop containing personal information was discovered missing at CS STARS. The company notified the state office it had contracted with of the incident on June 29, 2006 and then notified the appropriate state agencies on June 30, 2006. Consumer notification began in July 2006, which was apparently not soon enough for the AG’s Office.

Why notify state agencies? Unlike other states' disclosure laws, New York’s law mandates that the entity suffering the breach notify the Attorney General’s office, the Consumer Protection Board, and the New York Office of Cyber Security & Critical Infrastructure Coordination regarding the timing, content, and distribution of the notices, as well as the approximate number of affected persons. Further, the entity must also notify the Consumer Reporting Agencies if it discloses a breach to more than 5,000 New York residents. This is similar to the reporting structure used by federal entities reporting data breaches to US-CERT.

In order to settle this case without admitting to any violation of law, CS STARS agreed to comply with the data breach law in the future, implement more extensive practices relating to the security of private information, and pay the Attorney General’s office $60,000 for costs related to the investigation. The laptop was located and recovered, and the data was found not to have been improperly accessed.

What are the lessons to be learned from this story? One lesson is that bad news does not get better with time. Another is to review the landscape of IT security and breach incidents. You should implement practices and technologies to protect yourself from problems with disclosure laws, and to better protect your data (i.e. encryption). You should have a plan in place to deal with data breach incidents expeditiously.

Companies should also research the legal requirements or obligations outlined in states where they do business.

For more information on the New York law, see the New York State Attorney General’s Website. Companies that are licensed or supervised by the city’s Department of Consumer Affairs should also know that New York City has its own separate data breach law.

— Dr. Chris Pierson is an attorney with the law firm of Lewis and Roca LLP. Special to Dark Reading.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.