Client Alert - New York Enacts Information Security Breach Disclosure Law
Effective December 7, 2005, New York will join the ranks of some 18 other states that require businesses to notify consumers of security breaches in computerized data. Similar to California's disclosure law, The Information Security Breach and Notification Act ('the Act'), requires business to notify consumers in New York State if their personal information has been acquired by an unauthorized user.1
Pursuant to the Act, any person or business that conducts business in New York State and owns or licenses computerized data that includes private information shall disclose any breach of the security of their system, following discovery or notification of the breach, to any resident of New York State whose private information was, or is reasonably believed to have been, acquired by a person without authorization. If a person or business maintains such data, but does not own it, it shall notify the owner or licensee about a security breach immediately following discovery. Disclosure must be made 'in the most expedient time possible and without unreasonable delay, consistent with the legitimate need of law enforcement . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.'
'Private information' means personal information (e.g., name, number, personal mark, or other identifier used to identify a natural person') in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted or the encryption key has also been acquired: (1) social security number; (2) driver's license number or non-driver id card number; or (3) account number, credit or debit card number, along with a security code, access code, or password.
Notification can be made by written notice to the affected persons, or by electronic or telephonic notice under certain circumstances. If a business demonstrates to the Attorney General that the cost of providing the notice would exceed $250,000, or that the class of affected persons exceeds 500,000, then a substitute notice may be used. Notice under the Act must include contact information for the person or business making the notification, a description of the categories of information acquired and a specification of the elements of personal and private information acquired. The disclosing party must also notify the Attorney General, the Consumer Protection Board and the State Office of Cyber Security and Critical Infrastructure Coordination about the breach and the timing, content and distribution of the notification as well as the approximate number of persons affected. If more than 5,000 persons are affected, consumer reporting agencies must also be notified.
In addition to other remedies that may be available, violations of the Act may be enforced by the Attorney General in an action for injunctive relief and damages, including actual losses and consequential losses. If the violation was knowing or reckless, the Court may impose a civil penalty of $5,000 or up to $10 per instance of failed notice, whichever is greater, up to $150,000.
We would be pleased to advise you regarding this and other recent legislation on privacy and the protection of personal information.
For more information, please contact Meichelle R. MacGregor.