On July 15, 2014, the New York Attorney General issued a report examining the growing number and costs of data breaches in the state of New York.  The report titled, “Information Exposed: Historical Examination of Data Security in New York State,” analyzes eight years’ worth of security breach data collected by the Attorney General and the impact of those breaches upon New Yorkers.  The report finds that the number of security breaches reported to New York has more than tripled between 2006 and 2013.  Additionally, half of the largest breaches have occurred since 2011, with 2013 having the largest number of New Yorkers affected by data breaches.

The leading causes of the data security breaches were also reported by the Attorney General.  The report found that approximately 40 percent of all breaches between 2006 and 2013 were the result of hacking intrusions (third parties gaining unauthorized access to data stored on computers).  Nearly percent of all breaches were the result of lost or stolen equipment or documentation.  And insider wrongdoing, increasing in frequency each year, accounted for approximately 10 percent of all breaches.

The Attorney General also reviewed the number of data security breaches reported by industry.  Retailers were most likely to report three or more breaches between 2006 and 2013.  The report links retailers’ susceptibility to attack – particularly restaurant retailers – to retailers’ payment systems which have become a favorite target of hackers.  In addition, health care providers were shown to have not only a high incidence of three or more attacks, but also experienced the largest number of personal records exposed between 2006 and 2013.

The data breaches experienced in New York had significant financial consequences, particularly to the organizations involved.  The report estimates that in 2013 alone, breaches cost organizations doing business in New York over $1.37 billion.  These costs include not only costs to investigate the incident, notify affected individuals and expenses related to litigation, but also include indirect economic consequences related to consumer and investor confidence.

In order to better protect themselves from data security breaches, the report recommends that organizations implement the following five practices:

1.         Understand what data your organization has collected, maintained and stored, and review what steps have been taken to ensure security.

2.         Minimize the collection of data, store data for the minimum time that is needed and delete any information no longer needed.

3.         Create a comprehensive information security plan that includes encryption of data.

4.         Implement the information security plan which should include training of employees, communicating with third party vendors and conducting regular audits to ensure compliance.

5.         Offer mitigation services to affected individuals.

Photo of Carrie Dettmer Slye Carrie Dettmer Slye

Carrie Dettmer Slye focuses on assisting business clients in resolving complex disputes, including matters involving data privacy and security.

Experience:

Assisted in case involving alleged unauthorized disclosure of protected health information by hospital. Drafted motion to dismiss arguing that plaintiff consented to disclosure…

Carrie Dettmer Slye focuses on assisting business clients in resolving complex disputes, including matters involving data privacy and security.

Experience:

Assisted in case involving alleged unauthorized disclosure of protected health information by hospital. Drafted motion to dismiss arguing that plaintiff consented to disclosure of documents thereby waiving any alleged privilege. Plaintiff’s counsel agreed with analysis after review of motion to dismiss and subsequently dismissed action.

Assisted in response to federal complaint filed against client, a golf course, for allegedly preventing use of member’s “lifetime membership.” Drafted motion to dismiss plaintiff’s claims, which included constitutional due process claim, breach of contract claim, and personal injury claim. District court granted motion to dismiss and issued thorough opinion analyzing issues in golf course’s favor.

Handled litigation matters concerning software and website development. Represented consultants and software developers in complex actions involving design and implementation of Enterprise Resource Planning/Management software.

Assisted in data breach and incident response related to misplaced technology device involving company in healthcare industry. Drafted incident notifications to affected individuals and regulatory agencies, including state attorneys general and Office of Civil Rights.

Drafted standards for company in financial industry to assist with monitoring of employee postings and participation in social media.