Nationally, more than 342 million records containing personal information were involved in data breaches from 2005 - 2009, according to reports by the Privacy Rights Clearinghouse. In 2009, more than 1.1 million records of New York State residents were impacted by more than 400 data breaches. Therefore, the New York State Consumer Protection Board (CPB) is committed to providing important information and resources to help businesses avoid data breaches, and recommending steps that affected consumers can take to help prevent the possibility of falling victim to identity theft and financial fraud. A December 2009 report by Javelin Research indicated that individuals whose personal information has been compromised in a breach are four times more likely to suffer identity theft or fraud.
Oversight
A data breach occurs when an unauthorized person acquires or is reasonably believed to have acquired an entity's computerized data containing personal information of individuals consisting of a combination of a person's name, Social Security number (SSN), driver's license number, or bank account number, and/or credit or debit card number with PIN or access code (defined by law as "private information"). Any resident of New York State whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization must be notified so that they may take appropriate action to protect themselves from the increased risk of identity theft. The primary method of notification is the mail, but under certain circumstances, notification through e-mail, telephone, website posting, or through the statewide media may also be permissible.
In the event of a security breach, New York State law also requires businesses and government entities to notify the CPB, along with the Office of the New York State Attorney General and the New York State Office of Cyber Security and Critical Infrastructure. To inform the public and to bolster consumer protections and information security practices, the CPB scrutinizes data breach reports and monitors their timeliness as well as the information reported.
Public Exposure of Data Security Breaches
The CPB website highlights reported data security breaches. This information is also sent via the Agency's twitter feed. When major security breaches, such as the Express Scripts, Health Net and Educational Credit Management Corporation (ECMC) incidents, impacted New Yorkers, the CPB stepped in to assist affected consumers and respond to their questions.
A March 2010 data security breach at ECMC, a Minnesota-based guarantor of student loans, affected 3.3 million people nationwide, including more than 153,000 New Yorkers. It is believed to be one of the largest-ever breaches of student loan information. According to ECMC, the theft of data included names, addresses, Social Security numbers (SSNs) and dates of birth.
The CPB issued a press release to advise consumers about the situation and recommend steps that affected borrowers can take to reduce the likelihood of falling victim to identity theft and financial fraud. These include placing a fraud alert with the three major credit reporting agencies, ordering free credits report from www.AnnualCreditReport.com, carefully reviewing all credit card and financial statements to be on the lookout for any unauthorized transactions, and closing accounts that are known to be compromised.
Express Scripts and Health Net
Similarly, the CPB gave assistance to consumers who were victims of major data breaches at Express Scripts (237,000 New York residents) and Health Net (346,000 New York residents), answering questions relating to the difference between a fraud alert and a security freeze; obtaining free credit reports from www.AnnualCreditReport.com versus obtaining credit reports for a fee through commercial entities; and, credit monitoring versus other forms of identity theft protection. The CPB also interceded on behalf of multiple consumers regarding their communications with credit reporting agencies.
Breach Resources
The CPB has taken steps to address the increasing incidence of data security breach by educating the public on potential effects and consequences, and offering step-by-step guidance to affected consumers.
The Agency has been nationally recognized for the many resources it has developed regarding security and data breaches, especially this past year. These include Surviving a Data Breach, a Sample Letter from a Breaching Entity to Notify New Yorkers of a Security Breach Incident, and a Fact Sheet for Business. The CPB created a dedicated section on its website to assist businesses and consumers who are dealing with the consequences of a data security breach. Along with small businesses, consumers are now turning to the CPB's materials and to its Consumer Assistance Advisors for guidance and direct assistance.