New York Governor George Pataki has signed a bill requiring companies and state agencies to tell New York customers when the security of their data has been compromised.

The legislation was passed in June by New York’s State Senate and signed into law Wednesday. It is modeled after a similar bill passed in California in 2003 in the wake of the ChoicePoint breach, which exposed information on 30,000 customers in California and more than 9,000 in New York.

“The new law applies to businesses and state government agencies that maintain databases when there is a breach involving the acquisition of information such as Social Security numbers, credit card numbers, drivers licenses, and other vulnerable personal information,” said New York State Assembly member James Brennan (D-Brooklyn), who sponsored the bill.

Under the law, companies that have customers in New York State have to notify the consumer of any breach as soon as possible. The law also requires local governments in New York to develop a policy on doing the same, and gives the New York Attorney General the ability to seek a court order if the company fails to comply.

The bill applies to “any company large or small that maintains significant amounts of personal data, including banks, finance companies, and credit card companies,” according to Mr. Brennan.

He said the bill did not run into heavy opposition, although there were concerns from some businesses, including financial services giant Citibank, about how it would be applied. The bill went through numerous revisions and amendments as legislators met with each other and with businesses.

“Most businesses in New York acknowledged the importance of privacy protection,” said Mr. Brennan. “They were socially responsible in their view of the matter.”

Hacker Concerns 

Some companies, however, were concerned about defining exactly what type of hacking incident or security breach would trigger the required notification of customers. They wanted to know what would happen, for example, if a hacker merely defaced a corporate web site without exposing customer information.

The version of the bill that was passed requires businesses to notify their customers if their personal information has been breached.

The bill also noted that ChoicePoint at first refused to notify its 110,000 customers outside California about the security breach and only agreed to notify 110,000 customers in New York and other states under pressure.

The bill was originally passed by the Assembly last year, but did not receive enough backing at the time in the State Senate.

This year, with reports mounting of data security breaches, including reports of data lost from Citigroup, the bill found a co-sponsor in the State Senate in Charles Fuschillo (R-LongIsland), who pushed hard for the law to be passed. 

Mr. Fuschillo had introduced similar legislation last year, co-sponsored by Jeffrey Klein (D-Bronx), chairman of the Assembly’s Oversight Committee, but the bill did not pass in the Senate. The mounting reports of consumer data breaches helped spur support in the Senate this year.

The Assembly reintroduced a similar bill and passed it again in May of this year, followed by the State Senate the following month, and it was delivered to the governor’s desk at the end of July.  The bill is scheduled to go into effect in early December.

“This bill would ensure that New Yorkers receive quick notification so they can protect themselves from being further victimized,” said Mr. Fuschillo.

State by State and Nationally

Legislation requiring consumer notification of data breaches has been approved in at least 15 states as of the end of June, according to Governing magazine. Bills in three other states are awaiting gubernatorial approval.

The laws vary from state to state.Florida passed a law that went into effect on July 1 that would fine companies $1,000 for each day they don’t disclose a security breach, or $50,000 if they don’t disclose the breach for a month. Montana companies even face criminal charges.

On the federal level, U.S. Senator Diane Feinstein (D-California) has proposed a bill modeled after California’s, while another bill from Senators Arlen Specter (R-Pennsylvania) and Patrick Leahy (D-Vermont) would only punish companies that expose consumers’ Social Security numbers. Consumer advocates fear that a national law would weaken state laws, however.