New York Data Breaches Reached Record Level in 2016, and Attorney General Eric Schneiderman Recommends Stronger Cybersecurity Practices

Mar 23, 2017 | Blog

New York businesses and citizens need digital vigilance now more than ever. Data breaches affecting New Yorkers increased by 60% in 2016, according to a report issued by the Office of New York Attorney General Eric Schneiderman on March 21, 2017. The findings are sobering and portend enhanced enforcement of cybersecurity regulations in the state, including the Department of Financial Services cybersecurity regulations that went into effect on March 1, 2017.

The health care industry was particularly hard hit in 2016. Data breaches spiked to more than 800,000 individuals affected in October due, in large part, to a breach by a business associate of two health plans and a physician’s network in upstate New York that comprised the exposure of information of 761,782 individuals.

Hacking accounted for 40% of all data breaches but, remarkably, “employee negligence,” which includes inadvertent disclosures of information, was responsible for approximately 37% of all breaches, nearly the same as hacking.

The report included several “recommendations” by the Attorney General’s Office, including “Understand Where Your Business Stands” (data mapping to determine the information the business possesses, where it is stored, how it’s used and where it is sent); “Identify and Minimize Data Collection Practices,” including reduction in the amount of data stored (the new cybersecurity regulations comprise a requirement for data deletion); and “Create an Information Security Plan that Includes Encryption” and “Take Immediate Action in the Event of a Breach” (emphasis supplied).

It remains to be seen whether these Recommendations will become a standard of care, a security metric for use by the Attorney General when investigating data breaches, but the inclusion of these Recommendations in the report issued on March 21 makes that more than likely.

If you require assistance in cybersecurity compliance, please contact Kenneth N. Rashbaum.