Information Security Breach And Notification Act Now State Law

Charles J. Fuschillo Jr.

August 12, 2005

Businesses and government agencies will soon be required to make consumers aware of security breaches now that consumer friendly legislation sponsored by Senator Charles J. Fuschillo, Jr. (8th Senate District) has become law. The "Information Security Breach and Notification Act", which takes effect in early December, will require all companies and state agencies whose files containing consumers’ private financial information are acquired by unauthorized individuals to notify those consumers in New York State. This will ensure that consumers will have the ability to protect themselves from possible fraud and identity theft.

This new law is reflective of a cooperative effort between Senator Fuschillo, who is the Senate Consumer Protection Committee Chairman, and Assemblymember Jim Brennan (44th Assembly District), Chairman of the Assembly Committee on Oversight, Analysis and Investigation. The passage and approval of this legislation follows months of meetings and discussions with the Assembly, industry representatives and consumer groups.

"This law will add a layer of protection and a level of comfort for New York State residents. When the ‘Information Security Breach and Notification Act’ goes into effect before Christmas, consumers will get timely notification and be able to protect themselves and their finances from being victimized," stated Senator Fuschillo. "As a victim of identity theft myself, I know firsthand how invasive and disruptive this crime can be. This will go a long way in protecting consumers from the pervasive effects of this crime."

When this law goes into effect later this year, whenever a state entity or private business has its computer system compromised by criminals or hackers, and certain information is acquired by a person without valid authorization, all New York State residents whose information was affected must be notified in a timely fashion. This statewide notification would be initiated if any private, personal information, such as name, in combination with other information including social security numbers, driver’s license numbers, non-driver identification numbers and account information, was either stolen or compromised.

When notification is necessary, it must be provided either by phone, mail or in electronic form, if the customer has already consented to receiving email notification. A substitute manner of notification is allowable in certain circumstances if it consists of email notice, posting of any notice on an official website and statewide media notification.

Identity theft occurs when information is illegally obtained and is utilized by a criminal to open credit card accounts, write bad checks, buy cars, and commit other financial crimes under that person’s identity.

Any security breach that requires a consumer notification would also have to brought to the attention of the Attorney General, the New York State Consumer Protection Board and the state office of Cyber Security and Critical Infrastructure Coordination. Public notification could only be delayed through request of law enforcement or if a delay is needed to allow time to determine the scope of any breach and to safeguard the compromised system against further intrusion.

In this year alone, several companies, including ChoicePoint, Lexis Nexis, Polo Ralph Lauren, DSW Show Warehouse, and major universities and financial institutions have been victimized by security breaches, enabling criminals to potentially access the personal information of millions of individuals.

According to the Identity Theft Resource Center, there are over 10 million identity theft victims in the United States per year and the total cost of identity theft is estimated at $50 billion. Additionally, approximately 85% of victims only found out about the crime due to an adverse situation, such as denied credit, contact by a collection agency or receiving of credit cards or bills for merchandise never ordered.

"Consumers deserve to have the ability to protect their credit and finances when their personal information is compromised because of a security breach. Under this new law, New York residents will know when they are at a higher risk, allowing them to act quickly to minimize any damages and prevent criminals from destroying their credit," concluded Senator Fuschillo.