The report reveals that the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers have been exposed in nearly 5,000 data breaches, which have cost the public and private sectors in New York upward of $1.37 billion in 2013. In addition, the report also found that hacking intrusions – in which third parties gain unauthorized access to data stored on a computer system – were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches. Attorney General Schneiderman’s report also presents new recommendations on steps that both organizations and consumers can take to protect themselves from data loss.
“As we increasingly share our personal information with stores, restaurants, health care providers and other organizations, we should be able to enjoy the benefits of new technology without putting ourselves at risk. Unfortunately, our expansive look at data breaches found that millions of New Yorkers have been exposed without their knowledge or consent. It’s clear that a broad, concerted public education campaign must take place to ensure that all of us – from large corporations, to small businesses and families – are better protected,” said Attorney General Schneiderman. “Moving forward, I will advocate for collaboration between industry and security experts to ensure that organizations across the state and country have access to the tools needed to secure our data, so we can best address this complex and growing problem.”
2013 was a record-setting year in data security breaches, during which 7.3 million records of New Yorkers were exposed in more than 900 data security breaches. The massive number of affected New Yorkers in 2013 was largely driven by two retail mega-breaches at Target and Living Social, which have led some to dub 2013 “The Year of the Retailer Breach.” So-called mega-breaches have also becoming increasingly common: Five of the 10 largest breaches reported to the Attorney General’s Office have occurred since 2011.
No organization is exempt from this trend: In the eight-year period analyzed by today’s report, a widely diverse set of organizations ranging from local family businesses to large multinational corporations reported data security breaches to the Attorney General’s Office. While the most recent and widely publicized mega-breaches have involved retailers, data breaches have also impacted the health care and financial services industries.
The demand on secondary markets for stolen information remains robust. Freshly acquired stolen credit card numbers can fetch up to $45 per record, while other types of personal information, such as Social Security numbers and online account information, can command even higher prices. Non-financial information can be even more valuable, as fraudulent use is more difficult to detect and the information can be used for a broader range of purposes. For example, a stolen Facebook account can provide an access point to a wide range of user accounts, or can be used as a vehicle to steal information from others within that individual’s social network.
Despite the risks posed by data security breaches, individuals and organizations can take practical steps to better guard themselves from threats. While it may be impossible to completely prevent data loss, organizations that implement data security plans can greatly reduce the harm caused by a data security breach. In addition, individuals can remain vigilant and take action to protect themselves against breaches.
The Attorney General’s Office recommends that organizations follow these simple steps to help protect sensitive personal information against unauthorized disclosures.
- Understand Where Your Business Stands: The first step toward an effective data security policy is to understand what information your business requires for its operation, what data have already been collected and stored, how long the data are needed and what steps have been taken to ensure security. Organizations should review how sensitive data are acquired, how sensitive information is being shared with third parties, and what access controls are in place.
- Identify and Minimize Data Collection Practices: Put simply, data that do not exist cannot be stolen or lost. Collect only information that you need, store it only for the minimum time that you need it, and deploy data minimization tactics wherever possible. For example, if your company uses a point-of-sale system, ensure that expiration dates are not stored with credit card numbers. Reduce the use of highly sensitive data points, such as Social Security numbers, unless absolutely necessary, and minimize the length of retention for such data. Delete any information you no longer need.
- Create an Information Security Plan That Includes Encryption: Creating a comprehensive Information Security Plan is a complex but necessary endeavor. Studies show that entities with an effective plan will articulate not only technical standards but will incorporate training, awareness, and detailed procedural steps in the event of data breaches. Read more about what a comprehensive security plan should include in the report.
- Implement an Information Security Plan: Successful implementation of a thoughtfully designed plan can be one of the most effective ways to minimize the risk of a data breach. Elements to consider when implementing a plan include ensuring employees are aware of the plan and conducting regular reviews to ensure the plan continues to conform with evolving best practices.
- Take Immediate Action in the Event of a Breach: Remember to investigate all security incidents immediately and thoroughly. In the event of a breach, the law may require you to notify consumers, law enforcement, state Attorney Generals’ offices, credit bureaus and other businesses.
- Offer Mitigation Products in the Event of a Breach: While not required by law, New Yorkers affected by a data breach should be provided with mitigation services for free. These include credit monitoring, which provides alerts, usually by email, whenever an application for new credit is submitted to a consumer credit reporting agency, and a security freeze, which blocks new credit accounts. The cost of clearing up the consequences of identity theft can easily reach into the thousands of dollars and require hundreds of hours attending to administrative burdens.
- Create strong passwords for online accounts and update them frequently. Use different passwords for different accounts, especially for websites where you have disseminated sensitive information, such as credit card or Social Security numbers.
- Carefully monitor credit card and debit card statements each month. If you find any abnormal transactions, contact your bank or credit card agency immediately.
- Do not write down or store passwords electronically. If you do, be extremely careful of where you store passwords. Be aware that any passwords stored electronically (such as in a word processing document or cell phone’s notepad) can be easily stolen and provide fraudsters with one-stop shopping for all your sensitive information. If you hand-write passwords, do not store them in plain sight.
- Do not post any sensitive information on social media. Information such as birthdays, addresses, and phone numbers can be used by fraudsters to authenticate account information. Practice data minimization techniques. Don’t overshare.
- Always be aware of the current threat landscape. Stay up to date on media reports of data security breaches and consumer advisories.
The Attorney General’s Office recommends taking the following steps if you believe you have been victimized by a data security breach:
- User Names and Passwords: For user names and passwords, change them immediately on the relevant account and monitor the account for unusual activity. If you use the same user name or password on other accounts, change those as well.
- Credit Card Numbers: For breaches involving credit card numbers, Social Security numbers and other sensitive numbers, create an Identity Theft Report by filing a complaint with the Federal Trade Commission and printing your Identity Theft Affidavit. You can call the Federal Trade Commission (FTC) at 1-877-438-4338 or complete the form online here. Use the Identity Theft Affidavit to file a police report and create your Identity Theft Report. An Identity Theft Report will help you deal with credit reporting companies, debt collectors and any fraudulent accounts that the identity thief opened in your name. You may also want to put a fraud alert and/or security freeze on your credit report by notifying each of the credit reporting agencies (Equifax, TransUnion or Experian). A security freeze remains on your credit file until you remove it or choose to lift it temporarily when applying for credit services.