Sixty Seconds of Privacy: New York Enforces Breach Notification Act

Welcome to Sixty Seconds of Privacy, an e-newsletter brought to you by the Privacy and Data Security practice group at Thelen Reid Brown Raysman & Steiner LLP.

Each edition of this e-newsletter addresses one interesting legal development in the area of privacy and data security, in a brief "question and answer" format. Each edition is intended to be read in about a minute, yet will update you on an important development. We pick the topics for this e-newsletter based on what our clients are concerned about. You are welcome to submit your questions or suggestions to us, and you may find your sixty second answer in an upcoming edition.

Answer: Yes. New York State Attorney General Andrew Cuomo recently enforced New York's Information Security Breach and Notification Law against a company, CS Stars (a Chicago-based claims management company) who lost a computer containing sensitive information of approximately 540,000 consumers and failed to meet its notification obligations under the law in a timely fashion.

New York State law required this company, among other things, to notify the owner of the compromised data (in this case, a New York State committee for which CS Stars was providing data processing services) immediately following its discovery of the breach. In fact, while CS Star discovered the missing computer on May 9, 2006, it failed to notify the committee until seven weeks later, on June 29, 2006, which delayed notification to the potentially affected consumers until July 18, 2006. As part of its settlement with the NY Attorney General, CS Stars agreed to comply with the law in the event of any future breach, to implement more extensive security practices, and to pay the Attorney General $60,000 in costs related to the investigation.

There is no debate among experts that in order for a company to respond to a data security breach in compliance with its legal obligations and the expectations of its customers, it best have a plan in place in advance of the breach. Such a plan should be in writing and should cover all of the legal and practical requirements on a company that has suffered a breach of sensitive data.

Sixty Seconds Follow-up: In our September 2006 issue of Sixty Seconds, we featured a case, CollegeNET, Inc. v. XAP Corp., in which the plaintiff argued that a consumer has not effectively consented to the sharing of his or her contact information with a third party by answering "Yes" to the following question: "Are you interested in receiving information about student loans or financial aid?" A jury recently found that effective consumer consent was indeed not obtained through these words, awarding the plaintiff $4.5 million in damages. Furthermore, the court awarded attorney's fees on the grounds that the defendant's reliance on this means of obtaining consumer consent constituted willfully deceptive misconduct. The take-away: Make sure your consumer consent notices are as clear as possible about the nature and scope of the consent being solicited, in particular where consumer data will be shared with a third party.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.