As if we needed any more confirmation that the number of reported data breaches continues to rise, in a press release dated March 21, 2017, New York State Office of Attorney General Eric T. Schneiderman (“OAG”) announced that his office received a record number of data breach notices in 2016, with almost 1,300 reported breaches. That number represents a 60 percent increase over last year, and resulted in the exposure of the personal records of 1.6 million New Yorkers (a threefold increase over last year.) The Attorney General’s office also reported that the exposed information consisted overwhelmingly of social security numbers and financial account information, and surmised that hacking and inadvertent disclosure were the two leading causes of data security breaches. As noted in the press release, the Attorney General’s office first began collecting information regarding exposure of personal data in 2005, after § 899-aa was added to New York State Business Law requiring businesses to report all security breaches of their computerized data systems containing private consumer information to the OAG in a timely manner.
The OAG’s press release also describes how, in 2016, hacking accounted for more than 40% of data security breaches, and that 519 notices reported unauthorized outside access of computerized data. Notably, while hacking similarly represented the leading cause of all data breaches from 2006 to 2013, this past year, employee negligence, which consists of a combination of inadvertent exposure of records, insider wrongdoing, and the loss of a device or media, nearly tied hacking by accounting for approximately 37% of breaches. As noted above, the most frequently acquired information in 2016 was Social Security numbers and financial account information, which together accounted for 81% of breached information in New York. Other records such as driver’s license numbers (8%), date of birth (7%) and password/account information (2%) together accounted for 1,284,037 of exposed personal records in 2016.
The OAG also reported that while 2016 saw a 59% increase in the total number of reported breaches, so-called “Mega-Breaches” were down with only two such breaches reported (an October 12, 2016 reported breach of Newkirk Products, Inc., exposing the personal health information of 761,782 New Yorkers and a January 13, 2016 reported breach at HSBC bank where the financial, personal, and social security information of 251,201 New Yorkers was exposed). In addition, the OAG’s press release reiterated what is a well-known fact: that no organization is exempt from suffering a data breach, from small family-owned businesses to large multinational corporations. The OAG also set forth the following steps for organizations to follow to help protect sensitive personal information against unauthorized disclosure:
- Understand Where Your Business Stands: The first step toward an effective data security policy is to understand what information your business requires for its operation, what data have already been collected and stored, how long the data are needed and what steps have been taken to ensure security. Organizations should review how sensitive data are acquired, how sensitive information is being shared with third parties, and what access controls are in place.
- Identify and Minimize Data Collection Practices: Put simply, data that do not exist cannot be stolen or lost. Collect only information that you need, store it only for the minimum time that you need it, and deploy data minimization tactics wherever possible. For example, if your company uses a point-of-sale system, ensure that expiration dates are not stored with credit card numbers. Reduce the use of highly sensitive data points, such as Social Security numbers, unless absolutely necessary, and minimize the length of retention for such data. Delete any information you no longer need.
- Create an Information Security Plan That Includes Encryption: Creating a comprehensive Information Security Plan is a complex but necessary endeavor. Studies show that entities with an effective plan will articulate not only technical standards, but will incorporate training, awareness, and detailed procedural steps in the event of data breaches. Read more about what a comprehensive security plan should include in the report.
- Implement an Information Security Plan: Successful implementation of a thoughtfully designed plan can be one of the most effective ways to minimize the risk of a data breach. Elements to consider when implementing a plan include ensuring employees are aware of the plan and conducting regular reviews to ensure the plan continues to conform with evolving best practices.
- Take Immediate Action in the Event of a Breach: Remember to investigate all security incidents immediately and thoroughly. In the event of a breach, the law may require you to notify consumers, law enforcement, state Attorney Generals’ offices, credit bureaus and other businesses.
- Offer Mitigation Products in the Event of a Breach: While not required by law, New Yorkers affected by a data breach should be provided with mitigation services for free. These include credit monitoring, which provides alerts, usually by email, whenever an application for new credit is submitted to a consumer credit reporting agency, and a security freeze, which blocks new credit accounts. The cost of clearing up the consequences of identity theft can easily reach into the thousands of dollars and require hundreds of hours attending to administrative burdens. [NOTE: other state’s breach notification laws require the offering of free breach mitigation services, so organizations which maintain the personal information of residents who live in states outside of New York need to be aware of those states’ breach notification requirements.
The information provided by the OAG reflects the explosive growth of data breaches over the past several years—a trend which is continuing into 2017. A recent report from the Identity Theft Resource Center (ITRC) reflects that that there have been 353 data breaches recorded this year through March 21, 2017, with over 1.3 million records compromised. That total represents a 56% increase compared with 2015. The IRTC report also details that (unsurprisingly), the medical/health care sector leads all sectors in the number of records compromised so far in 2017, 22.9% (81) of all data breaches, with the total number of records exposed in those breaches exceeding 745,000, or about 57.1% of the 2017 total.
Despite the dizzying number of facts and figures available, organizations should be most concerned with one data breach: the next one that they could potentially suffer. Accordingly, organizations should consult with their IT professionals and counsel, and implement cybersecurity policies which address, to the extent applicable, (i) the management of cyber security issues, including the interaction between information security and core business functions, written information security policies and procedures, and the periodic reevaluation of such policies and procedures in light of changing risks; (ii) the resources devoted to information security and overall risk management; (iii) the risks posed by shared infrastructure; (iv) protections against intrusion including multi-factor or adaptive authentication and server and database configurations; (v) information security testing and monitoring, including penetration testing; (vi) incident detection and response processes, including monitoring; (vii) training of all personnel; (viii) management of third-party service providers; (ix) integration of information security into cyber incident response and disaster recovery policies and procedures; and (x) cyber security insurance coverage and third-party protections, including but not limited to provisions for cyber-security insurance, indemnification and written third-party service provider/vendor agreements.
