"Identity theft is a gross violation of privacy that can have disastrous consequences for unsuspecting victims," Governor Pataki said. "This legislation will help protect New Yorkers by ensuring that if there's an incident businesses and governments will notify consumers that their personal and confidential information may have been compromised. This early notification will help potential victims protect themselves and minimize any disruption to their lives."
The Information Security Breach and Notification Act requires that without unreasonable delay any resident of New York State be notified if their private information such as social security number, driver's license number or financial account numbers was obtained without proper authorization. In the event of a breach, people that are impacted would be notified by mail, email, public notices on websites or through the media.
Whenever 5,000 or more residents are affected by a security breach, the State Attorney General, the State Consumer Protection Board and the Office of Cyber Security and Critical Infrastructure Coordination must be notified. In addition, the incident would be reported to consumer reporting agencies such as Equifax, Transunion and Experian. Violations of this law can result in civil action brought by the Attorney General who would seek restitution for the victims and fines on the offending entity.
In April 2005, Governor Pataki's Office of Cyber Security and Critical Infrastructure Coordination issued a policy requiring state agencies to notify individuals in the event that private information is released from a security breach. In addition, local governments are required to develop a policy or pass a local law that is consistent with the act.
Wil Pelgrin, Director of the Office of Cyber Security and Critical Infrastructure Coordination said, "New York recognizes the importance of maintaining the confidentiality of individuals' private information and the value of timely notification in the event of a breach. This new law expands what Governor Pataki already implemented for state agencies by now requiring that private businesses provide notification as well."
New York State Chief Information Officer Jim Dillon said, "The State takes great care to protect personal, confidential information of our citizens. Throughout the state's computer systems and networks, strong provisions and security measures are in place to prevent data theft. But in the unfortunate event a breach occurs this law can help mitigate the disruptive and costly impact to unsuspecting people and their families."
