New York Enacts Data Breach Bill

New York's Governor George Pataki this week signed into law a bill that requires companies and government agencies to notify customers and citizens when their personal information has been lost, stolen, or exposed.

The Information Security Breach and Notification Act in New York is similar to a California law enacted in 2003, which in turn is the model used by several of the federal bills pending in the U.S. Senate.

If a user's Social Security, driver's license, or credit card numbers, or other confidential data are compromised, businesses and agencies must contact the customer "in the most expedient time possible and without unreasonable delay," the bill reads.

The new law also gives the state's Attorney General authority to file an injunction against companies which violate the new law, and provides for penalties of up to $150,000.

Like much of the furor over data breaches, New York's law stemmed from the ChoicePoint scandal earlier this year when fraudsters managed to buy thousands of personal records from the Georgia-based data broker. Some 9,000 New Yorkers were alleged to be among those who data was sold to criminals.

"As a victim of identity theft myself, I know how invasive and hurtful this crime can be," said Sen. Charles Fuschillo, the bill's sponsor, in a statement when the law passed from the Senate to Pataki. "Timely notification is critical to providing consumers the opportunity to protect themselves from identity theft, and prevent subsequent fraud."

The bill was passed by the state's Senate in late June, signed into law by Pataki on Wednesday, and will take effect before the end of the year.