On March 21, 2017, New York Attorney General (NYAG) Eric T. Schneiderman announced that his office had received a record breaking 1,282 data breach notices to his office affecting 1.6 million New York residents during 2016. Compared to 2015, these figures represent a 60 percent increase in the number of notices and a 300 percent increase in the number of New York residents affected. These research figures build on the NYAG’s 2014 report “Information Exposed: Historical Examination of Data Security in New York State,” which analyzed eight years of security breach statistics in New York from 2006 to 2013.
In New York, state law requires an organization to notify the NYAG and any affected New York residents in the event of a breach regardless of the number of people affected or the risk of harm. As a result, it is helpful to consider the number of notices and affected residents in the context of other data points, such as the type of breach or the type of data involved.
For example, the NYAG reported that the leading cause of 2016 breaches was hacking, with 40 percent of notices listing it as the primary cause of the breach. The second leading cause was “employee negligence,” accounting for 37 percent of reported breaches. The “employee negligence” figure is a combination of breaches resulting from inadvertent exposure of records, insider wrongdoing, and the loss of a device or media. While hacking was the leading cause of breaches between 2006 and 2013 as well, the combined “employee negligence” category is new. Where the 2016 statistics differentiate between the loss and theft of devices and media, the 2006-2013 statistics combined both categories. Therefore, it is helpful to compare the individual “employee negligence” categories in the 2016 statistics and the 2014 report:
- Inadvertent disclosure: 2006 – 2013: 20.24% 2016: 24.34%
- Insider wrongdoing: 2006 – 2013: 10.37% 2016: 8.19%
- Theft/Loss: 2006 – 2013: 23.69% 2016: 6.24% (combined)
While the percentage of inadvertent disclosures has increased, insider wrongdoing and theft and loss as a combined statistic were both lower in 2016 than in the previous reporting period.
The NYAG also added new statistics on the types of data subject to breaches that were not included in the 2014 report. In 2016, social security numbers and financial information combined for 80.93% of the total breaches in New York. Interestingly, the number of “mega-breaches” appeared to decline, with only 2 reported in 2016 compared to 28 reported between 2006 and 2013. The NYAG highlighted this number in stating that “[n]o organization is exempt from the risk of a data breach.” The NYAG recommends that all organizations take steps to secure personal data, including:
- Implementing data minimization and deletion practices;
- Creating an Information Security Plan that includes encryption;
- Making sure the Information Security Plan is implemented properly and regularly reviewed; and
- Offering mitigation processes including credit monitoring and security freezes to affected individuals.