Update on Committee Investigations

From Assemblymember James Brennan
Chair, Committee on Oversight, Analysis and Investigation

Assemblyman James Brennan
James Brennan, Chair
Committee on Oversight,
Analysis and Investigation

A4254-A, the
Information Security
Breach Notification Act,
has been hailed as the
new “national benchmark”
for identity theft.

Albany Office:
Room 641, Legislative Office Building Albany, NY 12248

Committee Office:
Agency Building 4, 12th Floor
Albany, NY 12248
Brennan Law Fights Identity Theft

Over 200,000 New Yorkers now know that they have been exposed to identity theft because of a new state law sponsored by the Chair of the Oversight Committee, Assemblymember James Brennan. The new law, the Information Security Breach and Notification Act, took effect on December 7, 2005. Until now, companies that suffered computer break-ins were not required to notify people when customer information was stolen. The new law requires companies to contact people when their private information like Social Security, driver’s license, or credit card numbers are exposed.

In many ways 2005 will be remembered as the year of the computer breach — so the enactment of this law could not be more timely. Assemblymember Brennan (D-Brooklyn) was active in pursuing companies that suffered serious breaches but did not initially notify customers. One of these was a large data broker called Choice Point. Brennan called for an immediate halt to state contracts with Choice Point after it was revealed that over 125,000 people, 9,000 of them New Yorkers, were the victims of a security breach at Choice Point. Over the course of several months, Brennan tracked other notable cases — and the results were startling. In just the first six months of 2005, over six million people were exposed to identity theft nationwide due to security breaches at large information brokers or financial institutions. Assemblymember Brennan said, “Until now, identity theft was often an unseen crime — though not a victimless one — because companies and the government did not need to notify New Yorkers when their information was stolen. Now New Yorkers will be notified, which makes turning a profit off of identity theft that much harder.”

The new law :

  • requires that governments and businesses notify victims if their personal information is taken;

  • establishes one state law requiring businesses to provide notice of an information hack;

  • requires local laws protecting the information under local government’s control;

  • protects consumers by giving them the information they need to head off identity thieves before they can do more damage; and

  • helps to create a “culture of security” by encouraging data protection techniques.

The Information Security Breach and Notification Act (A.4254-A Brennan) has been hailed by both local and international press:
Computerworld said it was the new “national benchmark” for identity theft prevention.
Jones Day called it “an important data security and notice statute,” saying that because of laws like this one, “companies will find it ever more difficult to avoid dealing with security breach notification obligations.”
The Register said the legislation “will promote a culture of security. It also helps consumers by giving them the information they need to head off possible identity theft.”

The bill was supported by Consumer’s Union, The Privacy Rights Clearinghouse and NYPIRG. All saw it as a great first step in preventing Identity Theft. The Privacy Rights Clearinghouse probably said it most clearly:

Early notice. . .means that if identity theft has already occurred, individuals can stop the bleeding. When identity theft cases are discovered early on, surveys show that victims are able to regain their financial health much more quickly. . .The “information security breach and notification act” is good public policy.

“All efforts to stop computer thefts of personal information must be pursued. This important law means prompt notification to individuals whose information is taken. Perhaps, as importantly, it should mean greater efforts by business and government to protect information from being taken in the first place. When you have thousands of New Yorkers victimized by identity thieves, and you can stop that, you have to do what’s right,” Assemblymember Brennan concluded.

PUBLIC EYE #10 (December 2005) is the second in a series of updates from Assemblymember James Brennan detailing his work as Chair of the NYS Assembly Oversight, Analysis and Investigation Committee. Other issues will follow. The Committee is charged with reviewing implementation and adequacy of laws and programs to ensure compliance by the public and government agencies. Through its monitoring and investigative activities, it seeks to determine whether programs are operating as required and whether funds allocated for programs are spent effectively, efficiently and in accordance with legislative intent.

New York State Assembly
[ Welcome Page ] [ Committee Updates ]