skip banner navigation new york state banner - this will open a new window  
CPB Home Press Releases Consumer Links
Contact: Deborah Sturm Rausch (518) 473-9472 For Immediate Release: March 18, 2008

The NYS Consumer Protection Board Urges Vigilance Regarding New Data Security Breach

This week’s news of a data breach involving some 4.2 million credit and debit card numbers is another glaring example of how data is compromised in today’s digital age, leaving millions of Americans at risk for identity theft. In fact, in a December 2006 report, the Privacy Rights Clearinghouse, a nonprofit organization that monitors security breaches, states that more than 100 million Americans were placed at risk for identity theft.

“No one is immune from a data breach,” said Mindy A. Bockstein, Chairperson and Executive Director of the CPB. “Data security is making headlines nearly every day, as highlighted by yesterday’s notice of the breach involving the Hannaford Brothers supermarket chain. The heightened level of vulnerability and exposure created by the compilation of large electronic databases necessitates a greater level of risk sensitivity. We should work toward enhanced disclosure of data leaks which will go a long way toward building customer trust and minimizing risk. The CPB is working on new legislation to advance greater protections for consumers with regard to data breach and security freeze.”

The CPB’s experience shows that consumers reacting to security breaches are not aware of the type and amount of personal information that is maintained about them by various entities. In August of 2007, Monster.com, an online recruitment site, discovered that hackers had broken into its password-protected resume database. As a result of this breach, the names, addresses, phone numbers and e-mail addresses of 1.3 million job seekers were stolen, leaving these individuals vulnerable to identity theft.

Security breach legislation was enacted into law in New York State in response to the 2005 ChoicePoint breach that exposed personal records of more than 160,000 individuals. Current statutory provisions place obligations on both State and local government entities and private businesses in New York to provide notification when a security breach occurs involving personal information so that affected consumers can take appropriate action to protect themselves from the threat of identity theft.

Under New York State law, State agencies and those persons conducting business in New York State that own or license computerized data are required to file a breach notice with the CPB, CSCIC and the Office of the Attorney General. State agencies or persons who do not own, but maintain, private information are required to notify the owner or licensee of such information in the event of a breach. In the event that more than 5,000 consumers are affected by a security breach, the breaching entity must file notice with the three major credit reporting agencies; TransUnion, Equifax, and Experian.

The CPB has reached out to Hannaford, and, according to their representative, no names or personal identification other than the credit or debit card numbers and their expiration dates were made public. However, that information, when utilized on the Internet, is enough for the commission of fraud and identity theft. The breach applies to multi-purpose credit/debit cards as well as credit cards that were used at Hannaford stores in the Northeast, and in other locations.

“Consumers should also be wary of scammers who capitalize on situations like these,” added Bockstein. “Hannaford has assured us that they will not send e-mails asking for personal information or call consumers to confirm personal information. If you receive a contact asking for this type of information, do not provide it.”

The federal Electronic Funds Transfer Act limits liability for unauthorized electronic fund transfers. The dollar amount for which consumers may be liable is limited depending upon how quickly a theft is reported. For example, if a consumer reports an ATM card stolen or lost within two business days of discovering the loss or theft, the liability is limited to $50. After two business days, but within 60 days after a statement is received showing a withdrawal or transfer by an unauthorized person, a consumer can be liable for up to $500.

The Truth in Lending Act limits liability for unauthorized credit card charges to $50 per card, if consumers follow the law’s requirements, which include writing to the creditor at the address given for billing inquiries, providing the name, address, account information and description of the issue, and sending the notice within 60 days after the first bill containing the error was mailed.

“It is imperative that consumers take immediate action to protect their hard-earned money as well as their personal identity, especially in the wake of a breach of this magnitude,” said Bockstein. “The CPB stands ready to assist New York consumers with any issues that may arise as a result of this, or any other security breach.”

The CPB advises consumers who feel their identity or personal privacy may have been compromised by this or any data security breach to:
  • Get the facts before you do anything. The notification you receive or posted on the breaching entity’s website will tell you what data was lost or stolen and when it happened. It should also provide contact information for the notifying entity so you can investigate the facts further.
  • Ask what the entity will be doing to reduce your risk of identity theft. For example, will credit monitoring services be offered at no cost for a specific period of time?
  • Watch for signs of fraud. Not every security breach ends in theft or fraud. Check your credit card billing statements for fraudulent charges and monitor your bank and other financial statements. If you spot something suspicious or unusual, report it to your credit card or financial company immediately.
  • Ask whether the company or agency that lost your information will notify the three major credit reporting agencies: TransUnion, Equifax and Experian. They are required to do so when more than 5,000 New Yorkers are affected.
  • Check your credit report. Under the law, you are entitled to a free annual report from each of the three major credit reporting agencies. Review the report carefully and follow-up with any errors or fraudulent entries.
  • Close accounts. Depending upon the nature of the security breach, you may need to close various accounts and open new ones with password protections. There should be no bank charges associated with the issuance of a new card.
  • Learn more about personal information protections. You may want to consider contacting a credit reporting agency and placing a “fraud alert” and “security freeze” on your credit file which will make it more difficult for someone to open a credit card account or borrow money in your name. Placing a fraud alert is free. Applying a security freeze on your file is free for first time use.
  • Retain your paperwork. Keep all notes from any conversation and any records about the security breach for future reference.
Data security is a key issue for the CPB. Thus, in the past year, great emphasis has been placed on identity theft, Internet security, privacy and security breaches. The CPB has dedicated resources about these and additional issues on its website, www.nysconsumer.gov, for consumers and businesses. Consumers are urged to visit the CPB’s website to file complaints or to access important information.

The CPB, established in 1970 by the New York State Legislature, is the State's top consumer watchdog and think tank. The CPB's core mission is to protect New Yorkers by publicizing unscrupulous and questionable business practices and product recalls; conducting investigations and hearings; enforcing the “Do Not Call Law”; researching issues; developing legislation; creating consumer education programs and materials; responding to individual marketplace complaints by securing voluntary agreements; and, representing the interests of consumers before the Public Service Commission and other State and federal agencies.

To file a consumer complaint with the NYS Consumer Protection Board (CPB), call our toll-free hotline at 800-697-1220 or visit CPB’s website at www.nysconsumer.gov. In addition to the online complaint form, the website is home to important consumer safety information. To join the CPB’s Do Not Call Reminder list, send an e-mail to CPB's Do Not Call Reminder list