1250 Broadway, 27th Floor New York, NY 10001


A.G. Schneiderman Announces Record Number Of Data Breach Notices For 2016

Hacking Drives Data Breaches Up By 60%, Exposing Info Of 1.6 Million New Yorkers

Schneiderman: It’s On Businesses And Citizens Alike To Protect Against Dangerous Data Exposures That Undermine NY'ers Financial Health And Cost Billions

Attorney General Eric T. Schneiderman recently announced that his office received a record number of data breach notices in 2016. The close to 1,300 reported data breaches in 2016 represented a 60 percent increase over the previous year; these breaches exposed the personal records of 1.6 million New Yorkers in 2016, representing a threefold increase over the prior year. Analysis conducted by the Attorney General's office revealed that the exposed information consisted overwhelmingly of social security numbers and financial account information and surmised that hacking and inadvertent disclosure were the two leading causes of data security breaches.

“In 2016, New Yorkers were the victims of one of the highest data exposure rates in our state’s history,” saidAttorney General Schneiderman. “The total annual number of reported security breaches increased by 60% and the number of exposed personal records tripled. Hacking is increasingly prevalent – making it all the more important for companies and citizens alike to take precaution when sharing and storing personal data. It’s on all of us to guard against those who try to use our personal information for harm – as these breaches too often jeopardize the financial health of New Yorkers and cost the public and private sectors billions of dollars.”

The Attorney General’s office first began collecting information regarding exposure of personal data in 2005, after § 899-aa was added to New York State Business Law requiring businesses to report all security breaches of their computerized data systems containing private consumer information to the OAG in a timely manner. The research included today builds on the NYAG’s 2014 report titled "Information Exposed: Historical Examination of Data Security in New York State,” which analyzed eight years of security breach data and how it impacted New Yorkers.

Hacking & Negligence Continue as Main Causes of Data Breaches

In 2016, hacking accounted for more than 40% of data security breaches. 519 notices reported unauthorized outside access of computerized data (see Figures 1 and 2). In the OAG’s 2014 report, hacking similarly represented the leading cause of all data breaches from 2006 to 2013. This past year however, employee negligence, which consists of a combination of inadvertent exposure of records, insider wrongdoing, and the loss of a device or media, nearly tied hacking by accounting for approximately 37% of breaches.

Figure 1: Data Security Breach Cause (Chart)

Figure 1

Figure 2: Data Security Breach Cause (Table)

Figure 2

Social Security and Financial Information as Primary Targets

The most frequently acquired information in 2016 was Social Security numbers and financial account information, which together accounted for 81% of breaches in New York. Other records such as driver’s license numbers (8%), date of birth (7%) and password/account information (2%) (see Figure 4) together accounted for 1,284,037 of exposed personal records in 2016.

Figure 3: Type of Information Acquired (Chart)

Figure 3

Figure 4: Type of Information Acquired (Table)

Figure 4

Mega-Breaches in 2016

While 2016 saw a 59% increase in the total number of reported breaches, only two mega-breaches figured among them.Comparatively, 28 mega-breaches were reported to the OAG between 2006 and 2013. On October 12, 2016, Newkirk Products, Inc., a business associate of Capital District Physicians’ Health Plan, Inc., CDPHP Universal Benefits, Inc., and Capital District Physicians’ Healthcare Network, Inc., reported exposing the personal health information of 761,782 New Yorkers. The next largest breach, reported on January 13, 2016, was at HSBC bank. It exposed the financial, personal, and social security information of 251,201 New Yorkers. Additionally, breaches at Eddie Bauer and Emblem Health reportedly affected 60,205 and 55,664 New Yorkers in August and November, respectively. These breaches, not surprisingly, had a substantial impact on the total number of New York residents affected during those months (See Figure 5). The number of New Yorkers affected steadily declined in the months that followed.

Figure 5: Total Affected and Total NY Residents Affected by 2016 Reported Breaches (Table)

Figure 5

Figure 6: Total NY Residents by 2016 Reported Breaches (Graph)

Figure 6

Average Delays in Notification Remain Constant Throughout 2016

As part of New York General Business Law Section § 899-aa, entities that experience a breach must notify the OAG, among other entities, and the individuals immediately affected, without unreasonable delay. Entities that suffered a breach exhibited the greatest delay in notification in March. While the difference in shortest and longest amount of time for entities to notify the OAG and consumers is extreme, between one day and several months, the average delays decreased throughout the year.

All Organizations are at Risk

No organization is exempt from the risk of a data breach. Data exposure can occur at small family businesses, government agencies, and large multinational corporations.

The Attorney General’s Office recommends that organizations follow these simple steps to help protect sensitive personal information against unauthorized disclosures.

  • Understand Where Your Business Stands: The first step toward an effective data security policy is to understand what information your business requires for its operation, what data have already been collected and stored, how long the data are needed and what steps have been taken to ensure security. Organizations should review how sensitive data are acquired, how sensitive information is being shared with third parties, and what access controls are in place.
  • Identify and Minimize Data Collection Practices: Put simply, data that do not exist cannot be stolen or lost. Collect only information that you need, store it only for the minimum time that you need it, and deploy data minimization tactics wherever possible. For example, if your company uses a point-of-sale system, ensure that expiration dates are not stored with credit card numbers. Reduce the use of highly sensitive data points, such as Social Security numbers, unless absolutely necessary, and minimize the length of retention for such data. Delete any information you no longer need.
  • Create an Information Security Plan That Includes Encryption: Creating a comprehensive Information Security Plan is a complex but necessary endeavor. Studies show that entities with an effective plan will articulate not only technical standards, but will incorporate training, awareness, and detailed procedural steps in the event of data breaches. Read more about what a comprehensive security plan should include in the report.
  • Implement an Information Security Plan: Successful implementation of a thoughtfully designed plan can be one of the most effective ways to minimize the risk of a data breach. Elements to consider when implementing a plan include ensuring employees are aware of the plan and conducting regular reviews to ensure the plan continues to conform with evolving best practices.
  • Take Immediate Action in the Event of a Breach: Remember to investigate all security incidents immediately and thoroughly. In the event of a breach, the law may require you to notify consumers, law enforcement, state Attorney Generals’ offices, credit bureaus and other businesses.
  • Offer Mitigation Products in the Event of a Breach: While not required by law, New Yorkers affected by a data breach should be provided with mitigation services for free. These include credit monitoring, which provides alerts, usually by email, whenever an application for new credit is submitted to a consumer credit reporting agency, and a security freeze, which blocks new credit accounts. The cost of clearing up the consequences of identity theft can easily reach into the thousands of dollars and require hundreds of hours attending to administrative burdens.

The Attorney General’s Office suggests that consumers guard against threats in the following ways:

  • Create Strong Passwords for Online Accounts and Update Them Frequently. Use different passwords for different accounts, especially for websites where you have disseminated sensitive information, such as credit card or Social Security numbers.
  • Carefully Monitor Credit Card and Debit Card Statements Each Month. If you find any abnormal transactions, contact your bank or credit card agency immediately.
  • Do Not Write Down or Store Passwords Electronically. If you do, be extremely careful of where you store passwords. Be aware that any passwords stored electronically (such as in a word processing document or cell phone’s notepad) can be easily stolen and provide fraudsters with one-stop shopping for all your sensitive information. If you hand-write passwords, do not store them in plain sight.
  • Do Not Post Any Sensitive Information on Social Media. Information such as birthdays, addresses, and phone numbers can be used by fraudsters to authenticate account information. Practice data minimization techniques. Don’t overshare.
  • Always Be Aware of the Current Threat Landscape. Stay up to date on media reports of data security breaches and consumer advisories.

The Attorney General’s Office recommends taking the following steps if you believe you have been victimized by a data security breach:

  • User Names and Passwords: For user names and passwords, change them immediately on the relevant account and monitor the account for unusual activity. If you use the same user name or password on other accounts, change those as well.
  • Credit Card Numbers: For breaches involving credit card numbers, Social Security numbers and other sensitive numbers, create an Identity Theft Report by filing a complaint with the Federal Trade Commission and printing your Identity Theft Affidavit. You can call the Federal Trade Commission (FTC) at 1-877-438-4338 or complete the form online here. Use the Identity Theft Affidavit to file a police report and create your Identity Theft Report. An Identity Theft Report will help you deal with credit reporting companies, debt collectors and any fraudulent accounts that the identity thief opened in your name. You may also want to put a fraud alert and/or security freeze on your credit report by notifying each of the credit reporting agencies (Equifax, TransUnion and Experian). A security freeze remains on your credit file until you remove it or choose to lift it temporarily when applying for credit services.

Contact information for the credit reporting agencies:

Equifax 1-800-525-6285

Experian 1-888-397-3742

TransUnion 1-800-680-7289