For every 100 data breach incidents, only about eight or 10 are disclosed beyond the walls of the corporation. Sometimes they are swept under the rug, and people who might be affected are never told. Sometimes, there is notification, but it happens much later than expected.
Now, however, there may be penalties for such non-disclosure behavior. A week ago, New York Attorney General Andrew Cuomo made it clear that his office takes enforcement of New Yorks disclosure law seriously: He took action against a company that waited seven weeks to notify authorities of a data breach incident. (See NY Gets First Settlement Under Breach Notification Law.)
In 2005, New York became the 19th state to follow Calif.'s lead and enact a data breach disclosure law. The New York law requires any business that maintains private information -- such as Social Security numbers, drivers licenses, or credit/debit card information -- to notify the data's owners of any security breach "immediately following discovery." The business also must notify all affected consumers in the "most expedient time possible," the law says.
Why did the New York AGs office get involved in this particular case? CS STARS LLC, a Chicago-based claims management company, failed to notify approximately 540,000 New York consumers that their personal information was at risk for seven weeks.
On May 9, 2006, a laptop containing personal information was discovered missing at CS STARS. The company notified the state office it had contracted with of the incident on June 29, 2006 and then notified the appropriate state agencies on June 30, 2006. Consumer notification began in July 2006, which was apparently not soon enough for the AGs Office.
Why notify state agencies? Unlike other states' disclosure laws, New Yorks law mandates that the entity suffering the breach notify the Attorney Generals office, the Consumer Protection Board, and the New York Office of Cyber Security & Critical Infrastructure Coordination regarding the timing, content, and distribution of the notices, as well as the approximate number of affected persons. Further, the entity must also notify the Consumer Reporting Agencies if it discloses a breach to more than 5,000 New York residents. This is similar to the reporting structure used by federal entities reporting data breaches to US-CERT.
In order to settle this case without admitting to any violation of law, CS STARS agreed to comply with the data breach law in the future, implement more extensive practices relating to the security of private information, and pay the Attorney Generals office $60,000 for costs related to the investigation. The laptop was located and recovered, and the data was found not to have been improperly accessed.
What are the lessons to be learned from this story? One lesson is that bad news does not get better with time. Another is to review the landscape of IT security and breach incidents. You should implement practices and technologies to protect yourself from problems with disclosure laws, and to better protect your data (i.e. encryption). You should have a plan in place to deal with data breach incidents expeditiously.
Companies should also research the legal requirements or obligations outlined in states where they do business.
For more information on the New York law, see the New York State Attorney Generals Website. Companies that are licensed or supervised by the citys Department of Consumer Affairs should also know that New York City has its own separate data breach law.
Dr. Chris Pierson is an attorney with the law firm of Lewis and Roca LLP. Special to Dark Reading.