BILL NUMBER: S5005
SPONSOR: SEPULVEDA
TITLE OF BILL:
An act to amend the general business law, in relation to creating a
private right of action for the breach of a consumer's identifying
information
PURPOSE:
Creates a private right of action for the breach of a consumer's identi-
fying information.
SUMMARY OF PROVISIONS:
Section 1. Adds a new Section 380-mm to the general business law to
create a civil liability for breach of a consumer's identifying informa-
tion. Defines identifying information as: an individual's social securi-
ty number; driver's license number; bank account number; credit or debit
card number; personal identification number; automated or electronic
signature; unique biometric data; account passwords; or any other piece
of information that can be used to access an individual's financial
accounts or to obtain goods or services.
Section 2. Effective date is immediate.
JUSTIFICATION:
A data breach is the intentional or unintentional release of secure or
private/confidential information to an untrusted environment. Other
terms for this phenomenon include unintentional information disclosure,
data leak and also data spill.
In September 2016, Yahoo the once dominant Internet giant, while in
negotiations to sell itself to Verizon, announced it had been the victim
of the biggest data breach in history, affecting 3 billion user
accounts, likely by "a state-sponsored actor," in 2014. The attack
compromised the real names, email addresses, dates of birth and tele-
phone numbers of 500 million users. The company said the "vast majority"
of the passwords involved had been hashed using the robust crypt algo-
rithm. The breaches knocked an estimated $350 million off Yahoo's sale
price. Verizon eventually paid $4.48 billion for Yahoo's core Internet
business. The agreement called for the two companies to share regulatory
and legal liabilities from the breaches. The sale did not include a
reported investment in Alibaba Group Holding of $41.3 billion and an
ownership interest in Yahoo Japan of $9.3 billion. Yahoo, founded in
1994, had once been valued at $100 billion. After the sale, the company
changed its name to Altaba, Inc.
The FriendFinder Network, which included casual hookup and adult content
websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com
and Stripshow.com, was breached sometime in mid-October 2016. Hackers
collected 20 years of data on six databases that included names, email
addresses and passwords, affecting more than 412.2 million accounts.
EBay, the online auction giant reported a cyberattack in May 2014 that
it said exposed names, addresses, dates of birth and encrypted passwords
of all of its 145 million users. The company said hackers got into the
company network using the credentials of three corporate employees, and
had complete inside access for 229 days, during which time they were
able to make their way to the user database. It asked its customers to
change their passwords, but said financial information, such as credit
card numbers, was stored separately and was not compromised. The company
was criticized at the time for a lack of communication informing its
users and poor implementation of the password-renewal process.
Equifax, one of the largest credit bureaus in the U.S., said on Sept.
7, 2017 that an application vulnerability on one of their websites led
to a data breach that exposed about 147.9 million consumers. The breach
was discovered on July 29, but the company says that it likely started
in mid-May.
At the time of the breach, Heartland was processing 100 million payment
card transactions per month for 175,000 merchants - most small- to mid
sized retailers. It wasn't discovered until January 2009, when Visa and
MasterCard notified Heartland of suspicious transactions from accounts
it had processed. Among the consequences were that Heartland was deemed
out of compliance with the Payment Card Industry Data Security Standard
(PCI DSS) and was not allowed to process the payments of major credit
card providers until May 2009. The company also paid out an estimated
$145 million in compensation for fraudulent payments. A federal grand
jury indicted Albert Gonzalez and two unnamed Russian accomplices in
2009. Gonzalez, a Cuban-American, was alleged to have masterminded the
international operation that stole the credit and debit cards. In March
2010, he was sentenced to 20 years in federal prison.
The Target Store breach actually began before Thanksgiving 2013, but was
not discovered until several weeks later. The retail giant initially
announced that hackers had gained access through a third-party HVAC
vender to its point-of-sale (POS) payment card readers, and had
collected about 40 million credit and debit card numbers. By January
2014, however, the company upped that estimate, reporting that
personally identifiable information (PIT) of 70 million of its customers
had been compromised. That included full names, addresses, email
addresses and telephone numbers. The final estimate is that the breach
affected as many as 110 million customers.
The scope of the Uber breach alone warrants its inclusion on this list,
and it's not the worst part of the hack. The company learned in late
2016 that two hackers were able to get names, email addresses, and
mobile phone numbers of 57 users of the Uber app. They also got the
driver license numbers of 600,000 Uber drivers. As far as we know, no
other data such as credit card or Social Security numbers were stolen.
The hackers were able to access Uber's GitHub account, where they found
username and password credentials to Uber's AWS account. Those creden-
tials should never have been on GitHub. Here's the really bad part: It
wasn't until about a year later that Uber made the breach public.
What's worse, they paid the hackers $100,000 to destroy the data with no
way to verify that they did, claiming it was a "bug bounty" fee. Uber
fired its CSO because of the breach, effectively placing the blame on
him.
JP Morgan, the largest bank in the nation was the victim of a hack
during the summer of 2014 that compromised the data of more than half of
all US households - 76 million - plus 7 million small businesses. The
data included contact information - names, addresses, phone numbers and
email addresses - as well as internal information about the users,
according to a filing with the Securities and Exchange Commission. The
bank said no customer money had been stolen and that there was "no
evidence that account information for such affected customers - account
numbers, passwords, user IDs, dates of birth or Social Security numbers
- was compromised during this attack. "Still, the hackers were reported-
ly able to gain "root" privileges on more than 90 of the bank's servers,
which meant they could take actions including transferring funds and
closing accounts. According to the SANS Institute, JP Morgan spends $250
million on security every year. In November 2015, federal authorities
indicted four men, charging them with the JP Morgan hack plus other
financial institutions. Gery Shalon, Joshua Samuel Aaron and Ziv Oren-
stein faced 23 counts, including unauthorized access of computers, iden-
tity theft, securities and wire fraud and money launde ring that netted
them an estimated $100 million. A fourth hacker who helped them breach
the networks was not identified.
Hackers, said to be from China, were inside the OPM system starting in
2012, but were not detected until March 20, 2014. A second hacker, or
group, gained access to OPM through a third-party contractor in May
2014, but was not discovered until nearly a year later. The intruders
exfiltrated personal data - including in many cases detailed security
clearance information and fingerprint data. In 2017, former FBI director
James Comey spoke of the information contained in the so-called SF-86
form, used for conducting background checks for employee security clear-
ances. "My SF-86 lists every place I've ever lived since I was 18,
every foreign travel I've ever taken, all of my family, their
addresses," he said. "So it's not just my identity."
The second-largest health insurer in the U.S., formerly known as Well-
Point, said a cyberattack had exposed the names, addresses, Social Secu-
rity numbers, dates of birth and employment histories of current and
former customers - everything necessary to steal identity. In January
2018 a nationwide investigation concluded that a foreign government
likely recruited the hackers who conducted what was said to be the larg-
est data breach in healthcare history. It reportedly began a year before
it was announced, when a single user at an Anthem subsidiary clicked on
a link in a phishing email. The total cost of the breach is not yet
known, but it is expected to exceed $100 million. Anthem said in 2016
that there was no evidence that members' data have been sold, shared or
used fraudulently. Credit card and medical information also allegedly
has not been taken.
Originally reported in early October 2017 by security blogger Brian
Krebs, it took weeks to figure out the scale of the breach and what it
included. The company originally reported that hackers had stolen nearly
3 million encrypted customer credit card records, plus login data for an
undetermined number of user accounts. Later in the month, Adobe said the
attackers had accessed IDs and encrypted passwords for 38 million
"active users." But Krebs reported that a file posted just days earlier,
"appears to include more than 150 million username and hashed password
pairs taken from Adobe." After weeks of research, it eventually turned
out, as well as the source code of several Adobe products, the hack had
also exposed customer names, IDs, passwords and debit and credit card
information. In August 2015, an agreement called for Adobe to pay a $1.1
million in legal fees and an undisclosed amount to users to settle
claims of violating the Customer Records Act and unfair business prac-
tices. In November 2016, the amount paid to customers was reported at $1
million.
Meant to attack Iran's nuclear power program, but also serving as a
template for real-world intrusion and service disruption of power grids,
water supplies or public transportation systems, the immediate effects
of the malicious Stuxnet worm were minimal - at least in the United
States - but numerous experts rank it among the top large-scale breaches
because it was a cyberattack that yielded physical results. Its maiware,
designed to target only Siemens SCADA systems, damaged Iran's nuclear
program by destroying an estimated 984 uranium enrichment centrifuges.
The attack has been attributed to a joint effort by the US and Israel,
although never officially acknowledged as such.
The impact of the cyberattack that stole information on the security
giant's SecuriD authentication tokens is still being debated. RSA, the
security division of EMC, said two separate hacker groups worked in
collaboration with a foreign government to launch a series of phishing
attacks against RSA employees, posing as people the employees trusted,
to penetrate the company's network. EMC reported last July that it had
spent at least $66 million on remediation. According to RSA executives,
no customers' networks were breached. John Linkous, vice president,
chief security and compliance officer of elQnetworks, Inc. doesn't buy
it. "RSA didn't help the matter by initially being vague about both the
attack vector, and (more importantly) the data that was stolen," he
says. "It was only a matter of time before subsequent attacks on Lock-
heed-Martin, L3 and others occurred, all of which are believed to be
partially enabled by the RSA breach." Beyond that was psychological
damage. Among the lessons, he said, are that even good security compa-
nies like RSA are not immune to being hacked. Jennifer Bayuk, an inde-
pendent information security consultant and professor at Stevens Insti-
tute of Technology, told SearchSecurity in 2012 that the breach was, "a
huge blow to the security product industry because RSA was such an icon.
They're the quintessential security vendor. For them to be a point of
vulnerability was a real shocker. I don't think anyone's gotten over
that," she said.
LEGISLATIVE HISTORY:
S.3235 of 2023-2024; Referred to Consumer Protection;
S.3003 of 2021-22: Referred to Consumer Protection
S.1749 of 2019-20: Referred to Consumer Protection
S.8461 of 2017-18: Referred to Consumer Protection
FISCAL IMPLICATIONS:
None.
EFFECTIVE DATE:
Immediately.