On March 21, 2017, the Attorney General (“AG”) of New York,  Eric T. Schneiderman, announced that his office received a record number of data breach notices in 2016. The total number of breach notifications received by the AG’s office was nearly 1,300. This represents a 60% increase over the total number of reported breaches for 2015.  The AG’s office estimates that 1.6 million New Yorkers had their personal information exposed in 2016, which represents a three-fold increase from 2015.

The New York AG’s office has been collecting information regarding data breaches concerning state residents since 2005, when the state first passed its security breach notification statute - N.Y. Gen. Bus. Law §899-aa. Since the initial version of the statute, the law has required notification to the AG’s office “in the event that any New York residents are to be notified.” This means that the AG’s office receives notifications of any data security breach involving New York residents regardless of the size of the breach. In contrast, some states only require notification of a data security breach to the state AG’s office if the total number of state residents notified surpasses a threshold number. For example, California requires notification to the state AG if a security breach resulted in notifying more than 500 California residents.

Based on an analysis of the collected breach notifications by the New York AG’s office, AG Schneiderman estimated that 40% of all reported data security breaches were the result of hacking. The second leading cause for breach notifications was employee error, which consisted of a combination of inadvertent exposure of records, insider wrongdoing, and the loss of a device or other media.

Across all reported breaches involving New York residents, social security numbers and financial account information made up 81% of the information types that were disclosed during a breach. This is not surprising given that New York’s security notification statute defines a security breach to be the disclosure of “personal information consisting of any information in combination with any one or more of the following data elements”:  “(1) social security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.”

In contrast to the reported increase, the total number of reported “mega-breaches” in 2016 was relatively low. Although AG Schneiderman’s report did not define the term “mega-breach,” the report stated that New York experienced only two mega-breaches this past year. First, HSBC bank reported exposing financial, personal, and social security information of 251,201 New Yorkers on January 13, 2016. In addition, Newkirk Products Inc. reported exposing personal health information of 761,782 New Yorkers on October 12, 2016. In comparison, from 2006 through 2013, New York recorded 28 mega-breaches. Although these two breaches combined to impact more than one million New York residents, it appears that smaller and more frequent breaches also are adding up to impact a large number of residents of the state.