By: Aaron Krowne

On July 14, 2014, the New York Attorney General’s office (“NY AG”) released a seminal report on data breaches, entitled “Information Exposed: Historical Examination of Data Breaches in New York State” (the “Report”). The Report presents a wealth of eye-opening (and sobering) information on data breaches in New York and beyond. The Report is primarily based upon the NY AG’s own analysis of data breach reports received in the first eight years (spanning 2005 through 2013) based on the State’s data breach reporting law (NY General Business Law §899-aa). The Report also cites extensively to outside research, providing a national- and international picture of data breaches. The Report’s primary finding is that data breaches, somewhat unsurprisingly, are a rapidly growing problem.

A Growing Menace

The headline statistic of the Report is its finding that data breaches in or effecting New York have tripled between 2006 and 2013 the original source. During this time frame, 22.8 million personal records of New Yorkers were exposed in nearly 5,000 breaches, effecting more than 3,000 businesses. The “worst” year was 2013, with 7.4 million records exposed, mainly due to the Target and Living Social “mega-breaches,” which the Report revealed are themselves a growing trend. However, while the Report warned that these recent “mega breaches” appear to be a trend, businesses of all sizes are effected and at risk.

The Report revealed that hacking instances are responsible for 43% of breaches and constituted 64% of the total records exposed. Other major causes of breaches include “lost or stolen equipment or documentation” (accounting for 25% of breaches), “employee error” (totaling 21% of breaches), and “insider wrongdoing” (tallying 11% of breaches). It is thus important to note that the majority of breaches still originate internally. However, since 2009 hacking has grown to become the dominant cause of breaches, which, not coincidentally, is the same year that “crimeware” source code was released and began to proliferate. Hacking was responsible for a whopping 96.4% of the New York records exposed in 2013 (again, largely due to the mega-breaches).

The Report notes that retail services and health care providers are “particularly” vulnerable to data breaches. The following breaks down the number of entities in a particular sector that suffered repeated data breaches: 54 “retail services” entities (a “favorite target of hackers”, per the Report), 31 “financial services” entities, 29 “health care” entities, 27 “banking” entities, and 20 “insurance” entities.

The Report also points out that these breach statistics are likely on the low side. One reason for this is that New York’s data breach law doesn’t cover all breaches. For example, if only one piece of information (out of the two required types: (1) a name, number, personal mark, or other identifier which can be used to identify such natural person, combined with (2) a social security number, government ID or license number, account number, or credit or debit card number along with security code) is compromised, the reporting requirement is not triggered. Yet, the compromise of even one piece of data (e.g., a social security number) can still have the same effect as a “breach” under the law, since it is still possible for there to be actual damage to the consumer (particularly if the breached information can be combined with complementary information obtained elsewhere). Further, within a specific reported breach, the full impact of such may be unknown, and hence lead to the breach being “underestimated.”

 Real Costs: Answering To The Market

Though New York’s data breach law allows the AG to bring suits for actual damages and statutory penalties for failure to notify (all consumers effected, theNY AG’s office; and for large breaches, consumer reporting agencies is required), such awards are likely to be minor compared with the market impact and direct costs of a breach. The Report estimates that in 2013, breaches cost New York businesses $1.37 billion, based on a per-record cost estimate of $188 (breach cost estimates are from data breach research consultancy The Ponemon Institute). However, in 2014, this per-record estimate has already risen to $201. The cost for hacked records is even higher than the average, at $277. The total average cost for a breach is currently $5.9 million, up from $5.4 million in 2013. These amounts represent only costs incurred by the businesses hit, including expenses such as investigation, communications, free consumer credit monitoring, and reformulation and implementation of data security measures. Costs on the consumers themselves are not included, so this is, once again, an under-estimate.

 These amounts also do not include market costs, for which the cases of the Target and Sony Playstation mega-breaches of 2013 are particularly sobering examples. Target experienced a 46% drop in annual revenue in the wake of the massive breach of its customers’ data, and Sony estimates it lost over $1 billion. Both also suffered contemporaneous significant declines in their stock prices.

 Returning to direct costs, the fallout continues: on August 5, 2014, Target announced that the costs of the 2013 breach would exceed its previous estimates, coming in at nearly $150 million.

 Practices

The Report’s banner recommendation, in the face of all the above, is to have an information security plan in place, especially given that 57% of breaches are primarily caused by “inside” issues (i.e., lost/stolen records, employee error, or wrongdoing) that directly implicate information security practices. An information security plan should specifically include:

  • a privacy policy;
  • restricted and controlled access to records;
  • monitoring systems for unauthorized access;
  • use of encryption, secure access to all devices, and non-internet connected storage;
  • uniform employee training programs;
  • reasonable data disposal practices (e.g., using disk wiping programs).

 The Report is not the most optimistic regarding preventing hacking, but we would note that hacking, or the efficacy of it, can also be reduced by implementation of an information security plan. For example, the implementation of encryption, and the training of employees to use it uniformly and properly, can be quite powerful.

Whether the breach threat comes to you in the form of employee conduct or an outside hack attempt, don’t be caught wrong-footed by not having an adequate information security plan. A certified privacy attorney at OlenderFeldman can assist you with your businesses’ information security plan, whether you need to create one for the first time, or simply need help in ensuring that your current information security plan provides the maximum protection to your business.

John Hancock…Is That Really You?

All too often, documents such as contracts, wills or promissory notes, are contested based on allegations of fraudulent or forged signatures. Indeed, our office once handled a two-week arbitration based solely on the issue of authentication of a signature on a contract. Fortunately, a quick, simple and inexpensive solution to prevent this problem is to have the document notarized by a notary public (“Notary”). A notarization, or a notarial act, is the process whereby a Notary assures and documents that: (1) the signer of the document appeared before the Notary, (2) the Notary identified the signer as the individual whose signature appears, and (3) the signer provided his or her signature willingly and was not coerced or under duress. Generally speaking, the party whose signature is being notarized must identify himself/herself, provide valid personal identification (i.e., a driver’s license), attest that the contents of the document are true, and that the provisions of the document will take effect exactly as drafted. Finally, the document must be signed in the presence of the Notary.

Why is Notarization Important?

A primary reason to have a document notarized is to deter fraud by providing an additional layer of verification that the document was signed by the individual whose name appears. In most jurisdictions, notarized documents are self-authenticating. A Notary can also certify a copy of a document as being an authentic copy of the original. For more information, please see our previous blog post regarding the enforceability of duplicate contracts. Ultimately, this means that the signers do not need to testify in court to verify the authenticity of their signatures. Thus, if there is ever a dispute as to the authenticity of a signature, significant time and money can be saved by avoiding testimony – which also eliminates the potential of a dispute over witness credibility (i.e., he said, she said).

How are Notaries Regulated?

Each state individually regulates and governs the conduct of Notaries. For specifics on New Jersey law, see the New Jersey Notary Public Manual, and for New York’s law, see the New York Notary Public Law. In most cases, a Notary can be held personally liable for his or her intentional or negligent acts or misconduct during the notarization process. For example, a Notary could be liable for damages or criminal penalties if he or she notarizes a signature which was not provided in the Notary’s presence or which the Notary knows is not authentic. A Notary is generally charged with the responsibility of going through a document to make sure that there are no alterations or blank spaces in the document prior to the notarization. The strict regulation of Notaries provides additional recourse for the aggrieved party, as the Notary could be held responsible for damages a party suffers as a direct result of the failure of the Notary to perform his or her responsibilities.

The Future of Notarization

As with most areas of the law, notarization is attempting to catch up with technology. Some states have authorized eNotarization, which is essentially the same as a paper notarization except that the document being notarized is in digital form, and the Notary certifies with an electronic signature. Depending on the state, the information in a Notary’s seal may be placed on the electronic document as a graphic image. Nevertheless, the same basic elements of traditional paper notarization remain, including specifically, the requirement for the signer to physically appear before the Notary. Recently, Virginia has taken eNotarization a step further and authorized webcam notarization, which means that the document is being notarized electronically and the signer does not need to physically appear before the Notary. However, a few states, including New Jersey, have issued public statements expressly banning webcam notarization and still require signers to physically appear before a Notary.

The bottom line: parties should consider backing up their “John Hancock” by notarizing their important documents. The low cost, typical accessibility of an authorized Notary, and simplicity of the process may make it worth the extra effort.

Jordan Kovnot, an attorney with OlenderFeldman, LLP and adjunct professor at Fordham Law School, was quoted extensively in this article in Tablet Magazine about a new wave of Internet laws that target the perpetrators of so-called “revenge porn.”

The term “revenge porn” refers to the practice of maliciously posting sexually explicit images of an individual without their consent. The practice most commonly involves jilted former lovers who were either sent the images or actively participated in their creation (sometimes with the knowledge of the subjects, and sometimes secretly, using hidden cameras). After these relationships sour, the angry exes post the images online, often in tandem with links to the victims’ names, addresses, places of work, and social media accounts. In addition to humiliation and mental anguish, victims of revenge porn have been subsequently targeted by stalkers and extortionists who find their pictures and contact information online.

New Jersey’s invasion of privacy law prohibits making secret recordings of individuals engaged in sexual conduct. That law was used to prosecute of a Rutgers student who surreptitiously recorded his roommate, Tyler Clementi, whose subsequent suicide brought national attention to the case. Last year California passed a law that criminalizes the posting of explicit photographs of an individual without his/her consent, though it is limited to instances in which the perpetrator was also the photographer. Recently a bill was put forth in the New York State Senate to outlaw the posting of revenge porn regardless of who created the images and regardless of whether they were created in secret. Such a law would go as far as to punish the unauthorized publication of so-called “selfies” (explicit self-portraits willingly shared by the photographer) where the publication was done with an intent to cause distress.

As Kovnot discusses in the interview, the images at the heart of these violations are often taken in the context of intimate, trusting relationships. As those relationships fall apart, angry, jealous or spiteful individuals sometimes exploit those pictures and videos in order to inflict pain. Existing privacy laws often offer little help to victims, particularly in instances in which the victim willingly shared (or assisted in the creation of) the image. In those cases the victim is often deemed to have no expectation of privacy. These new laws are intended help serve as deterrents and to provide victims with new avenues for relief.

Cyber-bullying bill may threaten anonymous speech in New York

By Alice Cheng

In an attempt to combat cyber-bullying, a bill entitled the Internet Protection Act has been proposed in New York, requiring New York-based websites to “remove any comments posted on his or her website by an anonymous poster unless such anonymous poster agrees to attach his or her name to the post.” The bill would allow those who are bullied or defamed online to take action to remove material. However, the bill only applies to anonymous comments. It would also allow business owners the right question negative online service and product reviews.

Although this statute was presumably created with good intentions, it also comes with serious First Amendment and privacy concerns. Website administrators would have the right to request that the anonymous users attach their names to the post, and must also verify the accuracy of their IP address, legal name, and home address.  This appears to clash with the conceptions most have regarding the rights to online privacy and anonymous speech.

The right to anonymous Internet speech, while not absolute, is nevertheless protected by the First Amendment. Protection is extended so long as the speaker is not involved in tortious or criminal conduct. Additionally, Section 230 of the Communications Decency Act provides immunity for Internet Service Providers (read: websites, blogs, listservs, forums, etc.) who publish information provided by others, so long as they comply with the Digital Millennium Copyright Act of 1998 (“DMCA”) and take down content that infringes the intellectual property rights of others.