On April 26, 2007, New York Attorney General Andrew Cuomo announced that his office entered into a settlement with CS STARS LLC for violating the state’s Information Security Breach and Notification Law, which is codified at N.Y. Gen. Bus. Law § 899-aa. Cuomo’s office targeted CS STARS for delaying, for seven weeks, the issuance of legally required notification regarding the theft of a computer which contained the personal information of approximately 540,000 worker’s compensation recipients.
New York’s security breach notification law, like other such laws, requires a business that maintains private information that it does not own to notify the data’s owner when this information may be compromised. The data owner must then notify potentially affected consumers. New York’s law also requires notice to the state’s Attorney General, Consumer Protection Board, and Office of Cyber Security. The timing of the notification is a particularly important aspect of many states’ security breach notification laws, including New York. Subject to law enforcement needs, New York requires notice to data owners “immediately following discovery” and to affected consumers “in the most expedient time possible and without unreasonable delay.”
CS STARS first noticed that a computer containing the names, addresses, and Social Security numbers of New York consumers was missing on May 9, 2006. However, CS STARS did not notify New York Special Funds Conservation Committee (“NYSFCC”), the data owner, of the potential breach until June 29, 2006. The company notified the FBI that same day, and the following day notified the proper state agencies. Notices to potentially affected consumers, however, did not begin mailing until July 18, 2006 pursuant to the FBI’s request and N.Y. Gen. Bus. Law § 899-aa(4), which explicitly allows a business to delay notification if a law enforcement agency determines that such notification will impede a criminal investigation.
The FBI recovered the missing computer, which had been taken by an employee of a cleaning contractor, on July 26, 2006. No consumers’ information was improperly accessed. Nonetheless, Attorney General Cuomo felt that the lengthy delay between discovering the theft and issuing the proper notifications “would have been ample time [for identity thieves] to victimize hundreds of thousands of consumers.”
CS STARS’ settlement requires the company to implement precautionary measures to safeguard private information, comply with the state’s notification law in the event of any future breach, and pay $60,000 to cover costs related to the investigation. CS STARS did not admit to any violation of law.