Legislative Memo


A.4254 (Brennan) / S.2161 (Fuschillo)



Notification of unauthorized acquisition of personal information



March 8, 2005


SUMMARY: This bill requires that any business which owns or licenses computerized data which includes vulnerable personal information shall disclose any breach of security of the system to any resident of New York whose information was reasonably believed to have been acquired by an unauthorized person. The bill also allows for a class action suit to be brought against the company whose security was breached. If the suit is successful, each subscriber receives not less than $500, regardless of the amount of actual damages proved.

PERSONAL DATA: This bill does not tackle the real issue in question. The bill is designed to protect an individual's personal data. What the bill actually does is punish those businesses that maintain personal data if their security is breached, through no fault of their own. Businesses that collect and store personal data have gone to great lengths and expense to protect this information and keep it secure.

PENALTIES: If a business' security is breached, through no fault of its own, the business is forced to pay a penalty. The legislation allows for penalties for each instance where it fails to notify the consumers “immediately following the discovery” if the security is breached. The company could be subject to a class action lawsuit, and is then liable for “not less than $500 in damages, regardless of actual damages proved...”. This is an invitation to any trial lawyer, who would not have prove that anyone was harmed by such breach, but merely that notification was not done in a timely manner.

CONCLUSION: The goal of this legislation is laudable. However, this bill punishes companies and businesses attempting to protect their customers - the consumers. Many companies need certain personal information about their customers in order to conduct their business - in order to protect these very customers. The punitive measures under this legislation are focused on the wrong party. Rather than attempting to correct and address identity theft and other similar crimes - this legislation punishes the very companies attempting to help and aid consumers. For the above stated reason, The Business Council opposes this legislation and recommends it not be adopted.