New Yorkers’ Personal Information Exposed by Brokerage Firm
A company that lost track of a computer containing the personal information of 540,000 New Yorkers but didn’t tell the state about it for five weeks has agreed to promptly notify people if security is breached again, Attorney General Andrew Cuomo said Thursday.
CS Stars, an independent insurance brokerage, will also put new precautions in place to safeguard consumer information and pay the state $60,000 in costs for its investigation.
The computer went missing May 9, 2006 from one of the Chicago company’s secured facilities. Most of the workers whose information was contained on the computer are New Yorkers in two special funds of the workers’ compensation system. CS Stars was using the computer to move the data – including names, addresses and Social Security numbers – from the state to the company’s computerized claim system.
It wasn’t until June 29 that the company notified the state and called in the FBI. The FBI asked that no consumers be notified immediately because it would impede their investigation, Cuomo said.
Consumers were notified starting July 18 and the computer was located July 25. Investigators determined that the information had not been accessed.
The company offered the affected workers identity theft insurance, 12 months to get free credit reports and access to fraud resolution specialists.
Identity theft is considered one of the country’s fastest growing white-collar crimes. A survey in 2006 reported that there have been more than 28 million new identity theft victims since 2003, but experts say many incidents go undetected or unreported.
Under New York’s Information Security Breach and Notification Law, any business that maintains personal information that it doesn’t own must notify the data’s owner of any security breach “immediately following discovery” and all affected consumers in the most “expedient time possible.” The attorney general’s office, Consumer Protection Board, and state office of Cyber Security also must be notified.
CS Stars admitted no violation of any laws, agreed to the notification policy and said it would beef up security.
NYS Information Security Breach and Notification Act: http://www.oag.state.ny.us/consumer/tips/id_theft_law.html