Publications

The New York State Attorney General’s office recently announced that it had received approximately 1,300 data breach notifications in 2016, a 60 percent increase over the previous year. The reported breaches resulted in the unauthorized exposure of personal and financial information of about 1.6 million New York State residents.^[1]

The Office of the Attorney General began collecting information regarding the unauthorized exposure of personal data after New York’s General Business Law section 899-aa was enacted in 2005. That statute generally provides that parties conducting business in New York State that own or license computerized data containing individuals’ “private information” must disclose any breach to any New York State residents whose private information was, or is reasonably believed to have been, acquired without valid authorization. In addition, businesses that suffer such a breach must notify the Attorney General and other agencies. Approximately 46 other states currently have similar data breach notification laws.

Of the roughly 1,300 incidents reported, hacking accounted for more than 40 percent of the data security breaches in 2016. Employee negligence or malfeasance, including the inadvertent exposure of records, lost devices and intentional wrongdoing, constituted another approximately 37 percent of these breaches. The most frequently acquired information in 2016 was Social Security numbers, financial account information, driver’s license numbers, dates of birth and password/account information.

No organization is immune from the risk of data breaches, which can expose firms to numerous legal obligations and may result in significant liabilities. Therefore, businesses of all sizes must guard against common causes of data breaches, such as hacking and employee acts or omissions, by:

• creating and implementing a data breach incident response plan,
• evaluating existing systems and vendor agreements to identify vulnerabilities,
• assessing the need for cyber insurance,
• frequently educating employees on cyber risks, and
• promptly investigating and remediating breaches.

^[1] The announcement is available at https://ag.ny.gov/press-release/ag-schneiderman-announces-record-number-data-breach-notices-2016.