Data breaches cost N.Y. companies $1.37 billion, report says


Security breaches exposing consumers’ personal information are becoming larger and increasingly frequent in New York, costing businesses more than $1.37 billion last year, the state attorney general’s office said.

Data breaches in the state more than tripled from 2006 to 2013, resulting in the exposure of 22.8 million personal records, according to a report released today by New York Attorney General Eric Schneiderman. Almost 5,000 breaches were reported to the office by businesses, nonprofits and government entities during that time, with hacking attacks causing the worst damage.

“Our expansive look at data breaches found that millions of New Yorkers have been exposed without their knowledge or consent,” Schneiderman said in a statement. The office will take a “collaborative approach to address the complex problems surrounding data security,” he said.

Target Corp., the Minneapolis-based retailer, was the victim of a breach last year that allowed hackers to gain access to payment data for 40 million of its customers’ debit and credit cards. LivingSocial Inc., the daily coupon website based in Washington, said last year that more than 50 million customers may have been affected by a cyber-attack.

The cost to businesses in New York was based on research estimating the price of each personal record compromised at $188, according to the attorney general’s report.

“Mega breaches” such as the Target attack are becoming increasingly common and are generally caused by hackers, Schneiderman’s office said. Hacking accounted for more than 40 percent of security breaches, according to the office. Data can also be compromised by accidental exposure and theft by employees within a company.

The U.S. has also accused China of stealing information from American companies that would be useful to competitors, indicting five Chinese military hackers in May. China has denied wrongdoing and suspended participation in a cybersecurity working group with the U.S. in response.

Schneiderman said that “engaging industry stakeholders and security experts, as well as lawmakers” could help provide tools for better protecting data.

Breaches at Target and other retailers helped renew a call this year for a federal law requiring notification of consumers when personal data is compromised. Legislative proposals have failed to advance as lawmakers struggle to “decide what they want to achieve” with the measure, said Mallory Duncan, general counsel for the National Retail Federation.

“Sometimes they’re trying to lock up information that’s not sensitive,” Duncan said. “Some bills out there talk about sensitive financial information, but also throw in things like your name, your address and your shoe size.”

Lawmakers are still weighing issues such as how tightly drawn the notification requirements should be, whether new payment technologies should be mandated, whether private lawsuits should be allowed under the law, and whether it should pre-empt existing state laws, said Jay Johnson, a lawyer at Jones Day who specializes in data security.

Protection of data and requirements for notifying people affected by a breach are now governed by a “patchwork of industry-specific federal laws and generally applicable state laws,” Johnson said.

Most states have laws requiring businesses to notify individuals whose data is compromised, although the obligations vary, Johnson said.

Schneiderman’s office has been collecting information about breaches since December 2005, after New York’s law governing notification went into effect.

Ted Kobus, a privacy and data security lawyer at BakerHostetler, said some policy makers are “trying to head in a direction where we have some sort of standard” for data protection.

“The problem is that standards change every day,” he said.