New York Enters First Settlement Agreement for Violation of Its Security Breach Notification Law
Posted by Thomas Jeffry
Last Thursday, New York Attorney General Andrew Cuomo announced that his office had entered into its first settlement under that state’s Information Security Breach and Notification Law enacted in 2005.
When it comes to notification that private information on a stolen laptop computer may be compromised, time is not your friend. The New York law requires notification to “the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, acquired by a person without valid authorization.” In addition, both the owner and licensee of such information has an obligation to disclose, “in the most expedient time possible and without unreasonable delay,” any breach in the security to any New York resident “whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.” (New York State General Business Law § 899-aa) The law includes the common provision that such notification may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation
In addition, when notification is necessary, the following New York state agencies must also be notified: Attorney General, Office of Cyber Security & Critical Infrastructure Coordination, and the Consumer Protection Board.
In this case, the laptop was taken by an employee of the janitorial staff and was eventually recovered by the FBI. The settlement was with CS STARS LLC that provides Worker’s Compensation claims management services to the New York Special Funds Conversation Committee who owned the data and used it to assist workers obtain benefits. According to Mr. Cuomo, there was a seven week lag between the time CS STARS noticed that the laptop computer with private information was missing until it notified New York Special Funds Conservation Committee and the FBI of the potential security breach. The New York state agencies didn’t receive notification until the next day.
The FBI, pending investigation of the breach, asked that individuals whose private information was subject to the breach not be notified. The FBI gave clearance to CS STARS to make the individual notifications approximately two and a half weeks later. Altogether, it was 70 days from the time the laptop was discovered missing until the time individuals were sent written notice of the breach. The Attorney General pointed out that there was ample time for affected individuals to be “victimized” even though there was no evidence that private information was actually compromised or used to steal identities.
Without admitting any liability, CS STARS agreed in the Settlement to comply with the law, ensure that proper notifications will be made in the event of any future breach, and to beef up its security practices. In addition, it paid the Attorney General’s office $60,000 for costs related to the investigation.
This case and the settlement reaffirms the need for all organizations that hold covered private information to be prepared in advance to respond to security breaches involving electronic data stored on stolen computers and other electronic devices. While the relatively meek terms of the settlement suggest that the Attorney General may have sympathized to some degree with circumstances of this particular situation, the AG nevertheless took the opportunity to emphasize that delays in making the initial reports and disclosures will not be tolerated. When equipment is unaccounted for, organizations do not have the luxury to wait and see if it turns up. Timing is everything when it comes to security breach notification laws.