New York AG Reports that Data Breaches Cost New York Businesses over $1B Last Year

by White & Case LLP

The current headline in data security is a just-released report from the New York Attorney General's Office (the "AG Report") announcing that the number of reported data breaches more than tripled between 2006 and 2013, exposing 22.8 million personal records of New Yorkers.[1] The AG Report reveals that last year's record-breaking exposure of 7.3 million New Yorkers' personal information – with an estimated cost to business of $1.37 billion – was largely due to two sophisticated hacking attacks at Target and Living Social.[2] Troublingly, these "mega-breaches" are a growing trend, with five of the ten largest breaches reported to the New York AG occurring in the past three years.[3]

According to the AG Report, hackers were the primary culprits of data breaches, accounting for over 40% of New York's 4,926 breaches and over 63% of total records exposed.[4] Other leading causes were lost or stolen equipment or documentation (24%), employee error (20%), and insider wrongdoing (10%).[5] The AG Report shows that recurring breaches afflict not only retailers but also companies in financial services, health care, banking and insurance.[6]

While the AG Report highlights the increasing costs of data breaches, it may understate the total price tag. The AG Report estimates a $1.37 billion cost by multiplying the number of records exposed in 2013 (7.3 million) by $188,[7] the average cost of one personal record compromised in the U.S., according to a 2013 global study from Symantec and the Ponemon Institute.[8] But not all breaches are alike – the cause of the breach can have a critical impact on its cost. According to the Symantec-Ponemon study, data breaches caused by hacking attacks in the U.S. imposed a higher than average per-record cost of $277.[9] Records compromised by system glitches and employee mistakes had a relatively low per-record cost, at $174 and $159 respectively.[10] Given that a large portion of New York's reported breaches were caused by hackers and many breaches were not required to be reported under New York law, the cost to business was likely even greater.[11] Moreover, this year's Ponemon Institute study (now sponsored by IBM) on U.S. data breaches points to a trend of rising costs: compared to 2013, the average per-record cost increased from $188 to $201, and the average total cost of a breach rose from $5.4 million to $5.9 million.[12]

Companies can, however, significantly reduce the impact of a breach with enhanced security awareness and planning. Organizations with an incident response plan in place prior to the data breach reduced the average per-record cost by $17.[13] Having a Chief Information Security Officer saved an average of $10 per record.[14] The prime factor was adopting a "strong security posture," which reduced the average per-record cost by $21.[15] A strong security posture includes knowing where sensitive or confidential information is located, securing endpoints to the network, identifying system users before granting access rights to sensitive information, conducting training and awareness programs for system users, conducting independent system audits, timely installing security patches, and complying with privacy laws.[16] Although important to act quickly once a breach is discovered, where the law permits a preliminary investigation, the optimal response may not be immediate disclosure: entities that notified customers before undertaking a thorough assessment or forensic examination incurred an average cost of $15 more per record.[17]

Data breaches impose serious long-term costs to business. In the wake of Target's breach, the retailer reported a 46% decrease in net earnings and suffered a significant drop in stock price.[18] After 77 million PlayStation Network accounts were hacked in 2011, Sony Entertainment lost an estimated $1 billion and saw its stock fall 6%.[19] A recent study from McAfee and the Center for Strategic and International Studies calculated the annual global cost of cybercrime to be more than $400 billion.[20] With the emergence of the "internet of things," it is good business for companies to take cyber-security more seriously.

[1] - New York State Attorney General Eric T. Schneiderman, "Information Exposed: Historical Examination of Data Breaches in New York State," at 1, available at
[2] - Id. at 1, 3.
[3] - Id. at 5.
[4] - Id. at 4. The AG Report notes that hackers can obtain up to $45 per record on the black market for stolen personal information. Id. at 1.
[5] - Id. at 4 (figures rounded).
[6] - A total of 241 institutions reported three or more data breaches to the New York AG since 2006. Of these "multiple breach entities," 54 were retailers, 31 were in financial services, 29 were in health care, 27 were in banking, and 20 were in insurance. Id. at 6.
[7] - Id. at 11.
[8] - Ponemon Institute, "2013 Cost of Data Breach Study: Global Analysis," May 2013, at 1,
[9] - Id. at 1-2.
[10] - Id. at 8.
[11] - See AG Report at 4. New York state law only requires notification to the Attorney General when certain combinations of personally identifying information are disclosed (e.g. a full name and credit card number), so thousands of breaches involving the disclosure of sensitive information went unreported. See New York State General Business § 899-aa; AG Report at 17. This loss estimate also does not account for the economic cost felt by the consumers whose privacy and identities were compromised, such as needing to replace credit cards or having a credit score harmed by an identify thief. AG Report at 17.
[12] - Ponemon Institute, "2014 Cost of Data Breach Study: United States," May 2014, at 1,, (follow the "United States" link) ("2014 U.S. Cost of Data Breach Study").
[13] - Id. at 9 (U.S. figures).
[14] - Id. (U.S. figures).
[15] - Id. (U.S. figures).
[16] - Id. at 9 n.6.; Ponemon Institute, "The True Cost of Compliance" January 2011, at 30,
[17] - 2014 U.S. Cost of Data Breach Study at 9.
[18] - Elizabeth Harris, "Data Breach Hurts Profit at Target," N.Y. Times, Feb. 26, 2014,
[19] - Juro Osawa, "As Sony Counts Hacking Costs, Analysts See Billion-Dollar Repair Bill," Wall St. J., May 9, 2011,; Ian Sherr and Nick Wingfield, "Play by Play: Sony's Struggles on Breach," Wall St. J., May 7,
[20] - Center for Strategic and International Studies, "Net Losses: Estimating the Global Cost of Cybercrime," June 2014, at 2,

*Alexander Reid, a summer associate at the firm, assisted with the preparation of this article.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Written by:

White & Case LLP

White & Case LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.