Spike in N.Y. Breach Notices May Not Reveal Full Scope

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

May 4 — Breach notifications in New York are up 40 percent in the first quarter of 2016 over the same period last year Attorney General Eric Schneiderman (D) announced May 4.

“It's not surprising that the data breach reporting statistics are up,” Craig A. Newman, a complex litigation partner with Patterson Belknap Webb & Tyler LLP in New York and chairman of the firm's data security practice group, told Bloomberg BNA May 4. “There's a growing realization that cyberattacks can strike a devastating blow to an organization,” and “unfortunately, this is a risk that is not going away,” he said.

In fact, there is a “significant increase in highly malicious breaches,” Lisa Sotto, chairwoman of Hunton & Williams LLP's global privacy and cybersecurity practice in New York, told Bloomberg BNA May 4. “These attacks look beyond credit card data to theft of highly confidential information” such as trade secrets and M&A deal data, she said.

The New York attorney general's office received 459 data breach notices from Jan. 1 to May 2 compared to 327 during the same time frame last year. Schneiderman expects more than 1,000 notifications this year, “a new record,” the office said.

Eric Schneiderman

“I am committed to stemming the data breach tide,” Schneiderman said. “Making notification to my office easier for companies who experienced a data breach means quicker notification and quicker resolution for New York's consumers,” he said.

Schneiderman, however, may want to focus on what breaches aren't being reported instead of making notification easier for New York companies.

Undetected Breaches?

“The spike in data breach reporting begs a larger question—how many breaches go undetected?” Newman asked. Companies can't report breaches that they don't detect and “there's still significant lag time between the time of a data breach and its detection,” he said.

However, companies have been more cognizant of the cost of a data breach and the spike in New York notifications “bears this out,” Newman said. “Organizations that devote the time, energy and resources to cybersecurity preparedness are almost always better positioned to deal with a breach,” he said.

After a breach the company “should immediately pull out its incident response plan which, hopefully, has been practiced in advance in tabletop breach simulations,” Sotto said. Incident response usually requires the assistance of outside counsel and can be an extensive process when the breach is reported to “over 20 state agencies, including three NY regulators,” and leads to an “inevitable class action,” she said.

Breach prevention is “all about preparation, preparation and preparation,” Newman said.

Out of Step

New York's current data breach law “is out of step with the vast majority of state breach laws” because it doesn't “contain a harm threshold,” Sotto said. “It isn't helpful to notify customers or employees when their data has simply been sent to the wrong, but still trusted, vendor,” she said.

Such a threshold “would require notification only if there is a risk of material harm to the individual and would save a good deal of hand-wringing by the recipient of the letter,” Sotto said.

Schneiderman has attempted to update New York's breach notification laws in the past (14 PVLR 117, 1/19/15). In 2015, he pledged to make the law the “strongest” in the U.S.

That promise remains unfulfilled.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

For More Information

Text of the May 4 data breach notification announcement is available at http://www.ag.ny.gov/press-release/ag-schneiderman-announces-record-data-breach-notifications-2016.