[ISN] NY enacts security breaches disclosure law

[InfoSec News]

http://www.theregister.co.uk/2005/08/12/ny_security_breaches_disclosure/

By John Leyden
12th August 2005

New York has enacted an information security breaches law which will
oblige firms and local government agencies to notify customers in the
state if their personal information is taken or its systems are hacked
into.

The legislation is designed to promote a culture of security. It also
helps protect consumers by giving them the information they need to
head off possible identity theft when sensitive details such as Social
Security, driver's license and credit card numbers become exposed.  
Organisation with customers in New York are obliged to notify these
people of a breach as soon as practically possible.

The Information Security Breach and Notification Act in New York is
broadly similar to security breaches laws enacted in California more
than two years ago. Legislation requiring consumer notification of
data security breaches has been approved in at least 15 states since
then. Federal security disclosure laws are under consideration but
opposed by some who fear it might dilute state laws, Red Herring
reports.

New York's decision to press ahead with its legislation follows a
series of high profile consumer data security breaches involving US
firms including data mining firm ChoicePoint, payment processing firm
CardSystems Solutions and others.

"The events of the last few months underscore the urgency of
protecting consumers. If a person is not aware that he or she has been
a victim of identity theft, then the damage done could be severe and
irreversible. Prompt notification gives New Yorkers needed
protections," said New York State Assembly member James Brennan, who
sponsored the law. "In the last year, over 9,000 New Yorkers were
exposed to identity theft because of inadequate security and poor
notification procedures." ®