Legislative Memo: Notification of Unauthorized Access to Personal Information

This bill would require state agencies and private companies to notify individuals in the event that their confidential computerized information is the subject of a security breach. Companies or government agencies that fail to disclose that a breach of their databases has occurred would be liable for civil damages.

The bill parallels a California law enacted in September 2002 that was prompted in part by a massive security breach in the state’s payroll database. Hackers obtained access to social security numbers, bank account information and home addresses of 265,000 state employees, including Governor Gray Davis. To make matters worse, the California Controller’s Office failed to notify state employees for over two weeks after discovering the breach.

The NYCLU believes this bill is an important step in recognizing the need for heightened protections of confidential information collected and maintained in electronic databases by state agencies and businesses.

Current law does not require government and business entities that maintain confidential personal information to provide notice of a security breach; and as a consequence the public is at high risk of identity theft and other offenses when a confidential database record becomes public. This bill would enable New Yorkers to take necessary measures to protect themselves against such offenses.

We applaud the introduction of this legislation as an important first step in allowing New Yorkers to secure “vulnerable” personal information in the event of a breach of computer security. However, we would urge that the sponsor of this bill expand upon this legislative precedent. Additional and extensive safeguards are necessary to prevent security breaches from occurring in the first instance and to strengthen information privacy protections.

In light of the growing number of computer networks that collect, store, transfer, link and sell personal information, the ability of the government, financial institutions and unauthorized persons to compromise individuals’ privacy rights has been enhanced significantly.

To protect against the malicious or accidental infringement of individual privacy, further legislation is required to implement, enforce and strengthen notice, consent, security and access procedures – all of which are core principles of information privacy.

The NYCLU supports the passage of this bill.