A.9184-B (Rules/Klein) / S.6517 (Fuschillo)


Director of Government Affairs
518.465.7511 x205


A.9184-B (Rules/Klein) / S.6517 (Fuschillo)


Notification of unauthorized acquisition of personal information



SUMMARY: This bill requires that any business which owns or licenses computerized data, including vulnerable personal information, and then has its security breached or is thought to have had its security breached, shall be required to notify their customers. The disclosure must be given to any resident of New York whose information was reasonably believed to have been acquired by an unauthorized person. The bill also allows for a class action suit to be brought against the company whose security was breached. If the suit is successful, each subscriber receives not less than $500, regardless of the amount of actual damages proved.

The Federal Fair Access to Credit Transactions Act (FACT) was recently enacted to provide a balance regarding the use of personally identifiable information. FACT provides significant measures in identity theft prevention which this legislation is seeking to address. The federal legislation should be given an opportunity to work before states pass state specific legislation.

BURDENSOME REQUIREMENTS AND PERSONAL DATA:Requiring businesses to issue notices that personal information may have been compromised is burdensome to the businesses operating in New York. The legislation requires those businesses that maintain computerized data which includes vulnerable personal information to immediately notify that the data was, or "is reasonably believed to have been" acquired by an unauthorized person. The fact that this legislation is forcing the business community to issue a notice that their security may have been breached is outrageous. It is irresponsible to require businesses to issue a notice of a breach of security on the chance that it may have occurred. Businesses that collect and store personal data have gone to great lengths and expense to protect this information and keep it secure.

This bill does not tackle the real issue in question. The bill is designed to protect an individual's personal data. What the bill actually does is punish those businesses that maintain personal data, if their security is breached, through no fault of their own.

This legislation defines "vulnerable personal information" as "personal information with any one or more of the following data elements, when either the personal information or the data element is not encrypted: (1) social security number (2) driver's license number (3) account number, credit or debit card number, in combination with any required security code, access code, or password which permit access to an individual's financial account."

PENALTIES: If a business' security is breached, through no fault of its own, the business is forced to pay a penalty. The legislation states that any person found in violation of this bill, shall be liable to the aggrieved user for all actual damages sustained. The company could be subject to a class action lawsuit, and is then liable for "not less than $500 in damages, regardless of actual damages proved..." The legislation not only allows for "not less than $500 in damages", but also allows for costs, disbursements and reasonable attorney's fees. The legislation also provides for class action suits.The legislation also provides that if it is determined that a grossly negligent violation has occurred a civil penalty of $1000 may be imposed for each violation. This is an invitation to any trial lawyer, who would not have prove that anyone was harmed by such breach, but merely that notification was not done in a timely manner.

CONCLUSION: The goal of protecting personal information is laudable. However, this bill punishes companies and businesses attempting to protect their customers - the consumers. The federal government passed legislation last year, FACT, which allows consumers to check their credit reports. The federal legislation provides protections against and options for the mitigation of identity theft. The Business Council believes that we should give the federal legislation an opportunity to work.

The punitive measures under this legislation are focused on the wrong party. Rather than attempting to correct and address identity theft and other similar crimes - this legislation punishes the very companies attempting to aid consumers. For the above stated reason, The Business Council opposes this legislation and recommends it not be adopted.