Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
May 4 — Breach notifications in New York are up 40 percent in the first quarter of 2016 over the same period last year Attorney General Eric Schneiderman (D) announced May 4.
“It's not surprising that the data breach reporting statistics are up,” Craig A. Newman, a complex litigation partner with Patterson Belknap Webb & Tyler LLP in New York and chairman of the firm's data security practice group, told Bloomberg BNA May 4. “There's a growing realization that cyberattacks can strike a devastating blow to an organization,” and “unfortunately, this is a risk that is not going away,” he said.
In fact, there is a “significant increase in highly malicious breaches,” Lisa Sotto, chairwoman of Hunton & Williams LLP's global privacy and cybersecurity practice in New York, told Bloomberg BNA May 4. “These attacks look beyond credit card data to theft of highly confidential information” such as trade secrets and M&A deal data, she said.
The New York attorney general's office received 459 data breach notices from Jan. 1 to May 2 compared to 327 during the same time frame last year. Schneiderman expects more than 1,000 notifications this year, “a new record,” the office said.
“I am committed to stemming the data breach tide,” Schneiderman said. “Making notification to my office easier for companies who experienced a data breach means quicker notification and quicker resolution for New York's consumers,” he said.
Schneiderman, however, may want to focus on what breaches aren't being reported instead of making notification easier for New York companies.
“The spike in data breach reporting begs a larger question—how many breaches go undetected?” Newman asked. Companies can't report breaches that they don't detect and “there's still significant lag time between the time of a data breach and its detection,” he said.
However, companies have been more cognizant of the cost of a data breach and the spike in New York notifications “bears this out,” Newman said. “Organizations that devote the time, energy and resources to cybersecurity preparedness are almost always better positioned to deal with a breach,” he said.
After a breach the company “should immediately pull out its incident response plan which, hopefully, has been practiced in advance in tabletop breach simulations,” Sotto said. Incident response usually requires the assistance of outside counsel and can be an extensive process when the breach is reported to “over 20 state agencies, including three NY regulators,” and leads to an “inevitable class action,” she said.
Breach prevention is “all about preparation, preparation and preparation,” Newman said.
New York's current data breach law “is out of step with the vast majority of state breach laws” because it doesn't “contain a harm threshold,” Sotto said. “It isn't helpful to notify customers or employees when their data has simply been sent to the wrong, but still trusted, vendor,” she said.
Such a threshold “would require notification only if there is a risk of material harm to the individual and would save a good deal of hand-wringing by the recipient of the letter,” Sotto said.
Schneiderman has attempted to update New York's breach notification laws in the past (14 PVLR 117, 1/19/15). In 2015, he pledged to make the law the “strongest” in the U.S.
That promise remains unfulfilled.
To contact the reporter on this story: Daniel R. Stoller in Washington at email@example.com
To contact the editor responsible for this story: Donald G. Aplin at firstname.lastname@example.org
Text of the May 4 data breach notification announcement is available at http://www.ag.ny.gov/press-release/ag-schneiderman-announces-record-data-breach-notifications-2016.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)