On April 26, 2007, New York Attorney General Andrew M. Cuomo announced that his office had reached the first settlement under that state’s new Information Security Breach and Notification law. For seven weeks, CS Stars LLC (“CS Stars”), a Chicago-based claims management company, failed to notify the owner of sensitive electronic data and approximately 540,000 New York consumers that their personal information was compromised. The company has agreed under the terms of the settlement to implement stricter precautionary measures, comply with the notification law in the event of another security breach, and pay the Attorney General’s office $60,000 for costs related to the investigation.
On May 9, 2006, a CS Stars employee noticed that a computer containing personal information including the names, addresses and social security numbers of recipients of workers’ compensation benefits was missing. The owner of the information was the New York Special Funds Conservation Committee (“Special Funds”), a not-for-profit organization created to assist in providing benefits to workers under the state’s Workers’ Compensation Law. CS Stars did not notify Special Funds of the security breach until June 29, 2006. On that same day the company also notified the FBI, which requested that no notices be sent to the potentially affected individuals because of the risk such notices would impede its investigation. CS Stars notified the Attorney General’s office, the Consumer Protection Board, and the State Office of Cyber-Security of the breach on June 30, 2006. On July 18, the company, with the FBI’s permission, finally began notifying potentially affected individuals of the security breach. The FBI ultimately recovered the missing computer after determining that it had been stolen by an employee of a cleaning contractor. Investigations later revealed that the computer’s sensitive data had not been improperly accessed.
Under New York’s Information Security Breach and Notification law, state entities, persons, and companies who conduct business in New York and own, license or maintain private electronic data must disclose to the owner of the data any security breach “immediately following discovery.” Potentially affected consumers must be notified in the “most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” Notices must include contact information for the state entity, person or company making the notification and a description of the categories of information that were, or are reasonably believed to have been, compromised. The state entity, person or business must also notify the Attorney General’s office, the Consumer Protection Board, and the State Office of Cyber-Security as to the timing, content and distribution of the notices and the approximate number of affected persons. This same information must be conveyed to the three major consumer credit reporting agencies if more than five thousand New York residents are potential victims of the breach.
As this is the first regulatory action taken under the new law, it gives the industry guidance as to how regulators will enforce the law’s requirements. Clearly, the New York Attorney General, under these circumstances, thought that a seven week interval between discovery of a breach and notification did not comply with the law’s “immediately following discovery” notification requirement. While there may be reasons under different circumstances for such a delay, in the future, companies suffering a security breach should provide notice far earlier than seven weeks.