Record number of New Yorkers impacted by data breaches in 2017

New York's Attorney General says his office received a record number of data breach notices in 2017.

On Thursday, Attorney General Eric Schneiderman released a report titled  "Information Exposed: 2017 Data Breaches in New York State." According to the report, companies and other entities reported 1,583 data breaches to the Attorney General's Office in 2017, exposing the personal records of 9.2 million New Yorkers. That's quadruple the number of New Yorkers impacted in 2016.

Now, Attorney General Schneiderman says he is introducing legislation to require Facebook and other social media sites to notify his office and New York consumers when they learn that users' personal data was obtained and misused in violation of the law or the platform's terms of service.

Attorney General Schneiderman is also urging the State legislature to pass his Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).  Schneiderman introduced the bill last fall because he believes it would close major gaps in New York's data security laws.

Under the SHIELD Act, companies would have a legal responsibility to adopt "reasonable" administrative, technical, and physical safeguards for sensitive data; the bill also would expand the types of data that trigger reporting requirements.

"Data breaches can cause personal crises for New Yorkers every time they happen – driving down credit scores and destroying financial lives," said Attorney General Schneiderman. "We saw a record number of data breaches in 2017, jeopardizing the personal information of 9.2 million New Yorkers. My office will continue to hold companies accountable for protecting the personal information they manage – but it's also time for Albany to bring our laws into the 21st century and ensure that New Yorkers are not needlessly victimized by weak data security and criminal hackers."

The report revealed that social security numbers accounted for 40 percent of the exposed records, financial account information such as credit card numbers accounted for 33 percent of records exposed.

Hacking accounted for 44 percent of security breaches and 25 percent of breaches were due to negligence.

There were 23 percent more reported security breaches affecting New Yorkers than 2016, and the number of New Yorkers who were affected more than quadrupled in the same amount of time.  This increase can mainly be attributed to the Equifax breach.

The Attorney General's Office suggests that consumers guard against threats in the following ways:

• Create Strong Passwords for Online Accounts and Update Them Frequently. Use different passwords for different accounts, especially for websites where you have disseminated sensitive information, such as credit card or Social Security numbers. 
• Carefully Monitor Credit Card and Debit Card Statements Each Month. If you find any abnormal transactions, contact your bank or credit card agency immediately. 
• Do Not Write Down or Store Passwords Electronically. If you do, be extremely careful of where you store passwords. Be aware that any passwords stored electronically (such as in a word processing document or cell phone's notepad) can be easily stolen and provide fraudsters with one-stop shopping for all your sensitive information. If you hand-write passwords, do not store them in plain sight. 
• Do Not Post Any Sensitive Information on Social Media. Information such as birthdays, addresses, and phone numbers can be used by fraudsters to authenticate account information. Practice data minimization techniques. Don't overshare.
• Always Be Aware of the Current Threat Landscape. Stay up to date on media reports of data security breaches and consumer advisories.  

The Attorney General's Office recommends taking the following steps if you believe you have been victimized by a data security breach:

• User Names and Passwords: Change user names and passwords immediately on the relevant account and monitor the account for unusual activity. If you use the same user name or password on other accounts, change those as well.  
• Credit Card Numbers: For breaches involving credit card numbers, social security numbers, and other sensitive numbers, create an Identity Theft Report by filing a complaint with the Federal Trade Commission and printing your Identity Theft Affidavit. You can call the Federal Trade Commission at 1-877-438-4338.
• Use the Identity Theft Affidavit to file a police report and create your Identity Theft Report. An Identity Theft Report will help you deal with credit reporting companies, debt collectors, and any fraudulent accounts that the identity thief opened in your name. You may also want to put a fraud alert and/or security freeze on your credit report by notifying each of the credit reporting agencies (Equifax, TransUnion, and Experian). A security freeze is the strongest protection for your credit and remains on your credit file until you remove it or choose to lift it temporarily when applying for credit services.