Data breaches hit new high in New YorkReprints
A record number of data breach notices were filed in 2017 with the New York attorney general, who pledged to introduce new notification requirements directed at Facebook Inc. and other social media sites.
In 2017, companies and other entities reported 1,583 data breaches compared with 1,281 data breaches reported in the previous year, according to a report called Information Exposed: 2017 Data Breaches in New York State released by Attorney General Eric Schneiderman on Thursday. The 2017 data breaches exposed the personal records of 9.2 million New Yorkers — quadruple the number of New Yorkers impacted in 2016, largely due to the Equifax breach, according to the report.
The exposed information consisted primarily of New Yorkers’ Social Security numbers, accounting for 40% records exposed, and financial account information such as credit card numbers, accounting for 33% of records exposed, according to the report.
Hacking was the leading cause of the data security breaches at 44%, with another 25% of breaches due to negligence, according to the report.
Mr. Schneiderman said he would introduce legislation to require Facebook and other social media sites to notify his office and New York consumers when they learn that users’ personal data was obtained and misused in violation of the law or the platform’s terms of service.
He also urged the state legislature to pass the Stop Hacks and Improve Electronic Data Security Act, which he introduced last fall and said would close major gaps in New York’s data security laws. Under the SHIELD Act, companies would have a legal responsibility to adopt reasonable administrative, technical and physical safeguards for sensitive data. The bill would also expand the types of data that trigger reporting requirements.
“New York State’s current data security law has proven inadequate to address the ever-growing threat of data breaches,” Mr. Schneiderman said in the report. “New York law only requires a person or commercial entity conducting business in New York State to report a data security breach if it involves ‘private information,’ defined as a consumer’s name in combination with a social security number, financial account information or driver’s license number. However, current law does not require most companies to maintain reasonable data security, except if the company collects social security numbers. Companies also are not required to report breaches of certain critical data types, including username-and-password combinations, and biometric data like the fingerprint you use to unlock an iPhone.”