NY State Announces Record Number of Breaches in 2016. Will 23 NYCRR 500 Stem the Tide in 2017?

Just three weeks after the effective date of the new NY State Cybersecurity regulations, New York Attorney General, Eric T. Schneiderman, announced that in 2016 his office received a record number of data breach notices in 2016. The close to 1,300 reported data breaches in 2016 represented a 60 percent increase over the previous year; these breaches exposed the personal records of 1.6 million New Yorkers in 2016, representing a threefold increase over the prior year. While 23 NYCRR Part 500 only addresses Financial Services organizations with prescriptive guidance, the NY State Government states that “no organization is exempt from the risk of a data breach. Data exposure can occur at small family businesses, government agencies, and large multinational corporations. “


In its message to companies, the Attorney General’s office recommends:


  • Create an Information Security Plan That Includes Encryption:  Creating a comprehensive Information Security Plan is a complex but necessary endeavor. Studies show that entities with an effective plan will articulate not only technical standards, but will incorporate training, awareness, and detailed procedural steps in the event of data breaches.
  • Implement an Information Security Plan:  Successful implementation of a thoughtfully designed plan can be one of the most effective ways to minimize the risk of a data breach. Elements to consider when implementing a plan include ensuring employees are aware of the plan and conducting regular reviews to ensure the plan continues to conform with evolving best practices.


The Attorney General’s office first began collecting information regarding exposure of personal data in 2005. It will be interesting to see if the new NY Cybersecurity laws which requires FinServ companies to have a cybersecurity program as well as policies and procedures in place by August 28, 2017 will have an effect on their 2017 breach report.


To read the full report by the office of the Attorney General: