Settlement Reached Over NY Comp Data Breach

The Marsh insurance brokerage's claims management subsidiary, CS Stars, has reached a $60,000 settlement with New York authorities over a security breach that exposed data from 540,000 people in the state's workers' compensation system.

New York Attorney General Andrew M. Cuomo announced the agreement today over the 2006 incident. He said it was the first settlement under New York's Information Security Breach and Notification Law. The $60,000 will pay the costs of the investigation, his statement said, and Stars admitted no violation of law.

The personal information was in a computer stolen from the Chicago-based Stars and later recovered by the FBI, which found the personal data had not been accessed.

Mr. Cuomo's statement said Stars had failed to tell the non-profit benefits assistance firm that owned the computerized data about the theft, and did not notify individuals whose data was at risk for seven weeks.

The company, he said, has agreed to implement precautionary procedures and comply with New York's notification law in the event of a security breach.

According to the attorney general, the following sequence of events occurred:

The computer theft was discovered May 9, 2006, when an employee at CS STARS noticed that a computer was missing holding names, addresses and Social Security numbers of recipients of workers' comp benefits.

The New York Special Funds Conservation Committee–a not-for-profit organization created to assist in providing comp benefits to workers–was the owner of the missing material, which was contained in a desktop that was sent to CS Stars for data conversion.

Not until June 29, 2006, did CS Stars first notify Special Funds of the security breach, according to Mr. Cuomo.

His statement related that on that same date, CS Stars notified the FBI and requested assistance. The FBI requested that no notifications be sent at that time to potentially affected people regarding the computer because the FBI was concerned that the notifications would impede its investigation.

CS Stars notified the Attorney General's office, the Consumer Protection Board and the state office of Cyber Security of the breach on June 30, 2006.

On July 18, 2006, CS Stars–on behalf of its client, Special Funds–and with the permission of the FBI, began sending notices to the approximately 540,000 potentially affected New York consumers notifying them of the security breach.

The company offered each person a number of free services and coverage, including daily monitoring of national credit reports for 12 months and $25,000 in identity theft insurance.

The FBI investigation found that the computer had been stolen by an employee of a cleaning contractor, and the missing computer was located and recovered on July 25, 2006. The FBI's investigation indicated that the data on the missing computer had not been improperly accessed.

“This company had sufficient cause to believe that the private information contained in the missing computer had been acquired by a person without valid authorization,” said Mr. Cuomo.

“Had the sensitive personal information fallen into the hands of criminals with the intent of identity theft, there would have been ample time to victimize hundreds of thousands of consumers. The law requires prompt notice to prevent such disastrous results,” he added.

Under New York's Information Security Breach and Notification Law, any business which maintains private information which it does not own must notify the owner of the data of any security breach “immediately following discovery” of the breach, and must notify all affected consumers in the “most expedient time possible.”

Notice of the breach must also be given to the Attorney General's office, the Consumer Protection Board, and the state office of Cyber Security.