The NYS Attorney General’s has announced a settlement following a data breach I never heard about. And I’m guessing that some people will grumble that the monetary penalty is too light.
NEW YORK – Attorney General Eric T. Schneiderman today announced a settlement with Doritex Corp. and its website developer Kallus Opraments, involving the disclosure of over 500 social security numbers on the Internet. The companies have agreed to pay a total of $95,000 and to shore up their data security practices.
“Far too many companies consistently fail to protect our most personal information,” said Attorney General Schneiderman. “I am committed to protecting the privacy of residents of New York State. No one should be exposed to identity theft or financial fraud from a company’s negligent data security practices.”
The settlement requires Doritex, based on Erie County, New York, to provide prompt notice of confirmed data security breaches to affected New York residents and to the Attorney General and to implement reasonable security policies and procedures designed to protect private information in accordance to New York State General Business laws. It also requires Doritex to pay a $55,000 penalty. Kallus Opraments must also implement additional data security policies and procedures, train its employees with the most up-to-date data security practices and pay a $40,000 penalty.
In late June 2015, the Attorney General received a tip that Doritex’s employment applications could be viewed over the Internet through a simple Google search. These employment applications included personal information of the applicant including name, address, and his or her Social Security number. Google regularly crawls the Internet and temporally copies websites to create an index for its search engine. The Attorney General’s investigation found that Doritex’s website and employment application portal was not secure and did not properly implement encryption technology, security deficiencies that enabled Google web crawlers to cache approximately 518 employment applications on its servers allowing anyone access for over a month.
Doritex was alerted to the breach on June 22, 2015 by a third party complainant, and while it immediately took corrective steps to stop Google crawlers from copying the employment applications, it did not notify the affected individuals or Schneiderman’s office until July 21, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office, “in the most expedient time possible and without unreasonable delay.”
Under the agreement, Doritex has agreed to provide notice of future breaches as soon as possible and to implement reasonable data security policies and procedures when handling employment applications over the Internet. Doritex has also agreed to:
- Review, bi-annually, its existing internal policies and procedures regarding the collection and processing of private information;
- Designate one or more employees to coordinate and supervise its privacy and security program;
- Adopt protective technologies for the storage, access, and transfer of private information, and credentials related to its access, including the adoption of encryption protocols for the transfer of any social security numbers; and
- Respond to events involving unauthorized acquisition, access, use, or disclosure of private information including training all staff on data breach notification law.
Website developer Kallus Opraments, owned by Robert Franke, developed Doritex’s website and employment application portal. He has agreed to develop and implement reasonable security policies and procedures when designing or building websites, or other web applications connected to the Internet, that collect private information including the adoption of appropriate encryption for the transfer of any social security numbers. He will also train his employees on current website and database security practices and data security policies. Finally, he will review existing policies and procedures regarding the collection, storage, transfer and transportation of private information for clients and promptly amend such policies and procedures to protect more adequately the privacy and confidentiality of the private information. Kallus Opraments $40,000 penalty was suspended assuming compliance with the agreement due to the company’s financial condition.
This case was handled by Bureau of Internet and Technology Deputy Bureau Chief Clark Russell and Resident Technologist Marc Kowtko. The Bureau of Internet and Technology is led by Bureau Chief Kathleen McGee.
SOURCE: NYS Attorney General Schneiderman