Senator Fuschillo's Identity Theft Protection Passes Senate

Charles J. Fuschillo Jr.

June 21, 2005

The Senate today passed legislation, sponsored by Senator Charles J. Fuschillo (8th Senate District), aimed at protecting New York residents from situations like the current MasterCard security breach. The bill passed the New York State Assembly last week. When it is signed into law by Governor George Pataki, the "Information Security Breach and Notification Act" would require all companies and state agencies whose files containing consumers’ private financial information are acquired by unauthorized individuals to notify those consumers in New York State so that they can take the necessary steps to guard against fraud and identity theft.

This legislation reflects an agreement with Assemblymember Jim Brennan (44th Assembly District) on a two-house bill, following months of meetings and discussions with the Assembly, industry representatives and consumer groups.

"The ‘Information Security Breach and Notification Act’ would give New York consumers valuable time to protect themselves from identity theft. As a victim of identity theft myself, I know how invasive and hurtful this crime can be," Senator Fuschillo said. "Timely notification is critical to providing consumers the opportunity to protect themselves from identity theft, and prevent subsequent fraud from being committed."

According to the proposed legislation, any time a computer system of a state entity or private business is compromised by hackers or criminals and certain information is acquired by a person without valid authorization, those New York State residents whose information was affected, would have to be notified in a timely fashion. The private information that would lead to this notification includes personal information, such as name, in combination with other information such as social security numbers, driver’s license numbers, non-driver identification numbers and account information.

Any necessary notification must be provided either by phone, mail or in electronic form, if the customer has already consented to receiving email notification. The company or entity may also use a substitute manner of notification, which consists of email notice, posting of any notice on an official website and statewide media notification in certain circumstances.

Identity theft occurs when information is illegally obtained and is utilized by a criminal to open credit card accounts, write bad checks, buy cars, and commit other financial crimes under that person’s identity. Although identity theft is a crime in New York State, current law does not require governments or private businesses to provide individuals with notice that their personal information may have been obtained in a computer hack.

Under the "Information Security Breach and Notification Act", any breach that requires a statewide notification would also have to brought to the attention of the Attorney General, the New York State Consumer Protection Board and the state office of Cyber Security and Critical Infrastructure Coordination. Public notification could only be delayed through request of law enforcement or if a delay is needed to allow time to determine the scope of any breach and to safeguard against further intrusion.

In this year alone, several companies, including ChoicePoint, Lexis Nexis, Polo Ralph Lauren, DSW Show Warehouse, and major universities and financial institutions have been victimized by security breaches, enabling criminals to potentially access the personal information of millions of individuals.

In a recent hearing on identity theft in Albany, which Senator Fuschillo co-chaired, the issue of notification was consistently named as one of the best weapons against the growing problem of identity theft. The hearing, which solicited input from representatives in the fields of consumer protection, business and law enforcement, was an opportunity for the members of the Senate to gain insight into this problem and assisted in the development of this legislation.