New York enacts tough data breach law.

• Author: Swartz, Nikki
• Position: UP FRONT: News, Trends & Analysis

New York's new state law will force interstate companies to disclose virtually all data breaches, no matter how small the risk, and sets a precedent for cracking down on companies that do not notify customers of data improprieties.

New York's data breach law, signed in August by Gov. George Pataki, will take effect in December. The law will directly force state-based and interstate companies to disclose virtually all data breaches--no matter how small the companies deem the risk to consumers--and will usurp current California breach notification laws as a national standard.

According to the law, New York would allow no exceptions for companies that have their own disclosure policies. It requires companies to disclose any unauthorized breach of databases that contain New York residents' personal information such as Social Security, driver's license, and credit card numbers, with a limited exception for some encrypted data. The law makes no exception for small data breaches or breaches unlikely to result in identity theft, despite concerns raised by industry groups who warn that customers could be overwhelmed by too much notification in cases where there's little risk. According to media reports, Congress and 35 state legislatures have considered data breach notification laws this year as more than 60 companies, complying with a 2003 California law, announced breaches affecting millions of U.S. residents this year. Although the California law requires that companies notify only California residents, it has become the de facto national standard, pushing companies to alert all customers.

[ILLUSTRATION OMITTED]

Congress is expected to discuss a national breach notification law this year. However, experts say if Congress fails to pass a national law preempting state legislation, the New York law would replace the California breach notification law, which includes some notification exceptions, as a national standard. Currently, a messy patchwork of state laws exists. While some industry groups have advocated a preemptive breach notification bill with few other regulations, consumer and privacy groups have called for sweeping ID theft protections.

With data breach notification laws already passed by 19 states and Congress focusing on the issue, even enterprise customers normally opposed to regulations recognize that a national law is...