Mandatory breach notification to be N.Y. law

The state's Information Security Breach and Notification Act, which goes into effect this week, puts the Empire State in the company of 18 others requiring full disclosure to customers after a breach.

State Assemblyman James Brennan, D-Brooklyn, said, "It's only natural to think (a breach-notification law) should be compulsory in New York."

"ID theft is becoming a major national problem. We've had a number of examples," he said. "We want that company knowing that they should notify all its customers."

Brennan said most businesses he talked to were "pretty supportive" of the new legislation. All businesses operating within New York state are subject to the law.

The law, similar to California's 2-year-old SB1386, was passed in June by the state General Assembly and signed into law by Republican Gov. George Pataki.

Defining personal information as Social Security numbers, driver's licenses, non-driver identification cards, bank, credit and debit card numbers and security access codes and passwords, the law requires companies to notify customers of any breach of unencrypted personal information.

It also threatens non-compliant companies with a fine of up to $10 per failed notification.

Gordon Rapkin, CEO of Protegrity, a company based in neighboring Connecticut, said most corporations "have already dealt with" similiar laws when doing business in other states.

"It's a good thing New York passed it, with many breaches around in the not-so-distant past," he said.

Rapkin said embarrassment from a breach, and other costs, may serve as more of a deterrent than the fine.

"Just the act of notifying everyone will cost you a fortune," he said. "I think that's the real deterrent."

www.state.ny.us