Large Hacked Hosting Companies Violating California Law and New York Law

drmike

100% Tier-1 Gogent
Another heads up for any VPS / hosting company or those selling products to such.  When you are hacked, some States in the United States require that you document and record the event with offices like the State Attorney Generals Office.  You are likely subject to regulations in many States since you sell to their citizens.

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a))

Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) and California Civ. Code s. 1798.82(f))In the case of California:

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a))

Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) and California Civ. Code s. 1798.82(f))
Not to be outdone,  the State of New York (a state where a certain company is based who was hacked TWICE) has a similar law:

http://www.dhses.ny.gov/ocs/breach-notification/

For Persons or Businesses Conducting Business in New York

Under section 899-aa of the General Business Law, a person or business conducting business in New York must also notify three (3) NYS offices: the NYS Attorney General; the NYS Division of State Police; and the Department of State's Division of Consumer Protection.
Did someone actually do their paperwork and file with the authorities like good little boys?  Shall I inquire?
 
Last edited by a moderator:

jarland

The ocean is digital
This isn't where I parked my car.


So glad someone deleted that out of line comment. It's called a joke, in this case expressing how I'm so impressed by this post that I have nothing to say. That context work for you guys? I'll submit a request next time before I post a comment.
 
Last edited by a moderator:

DomainBop

Dormant VPSB Pathogen
When you are hacked, some States in the United States require that you document and record the event with offices like the State Attorney Generals Office.
The exact definition of "some states" is 46 out of 50 U.S. states have databreach notification laws that must be followed if  residents of the state are victims of a databreach.

A handy guide to the laws of all states:

http://www.perkinscoie.com/statebreachchart/

The laws vary by state on whether companies also need to notify the State AG and/or consumer reporting agencies, and/or State/Local law enforcement agencies.  Factors that determine whether notification of consumer reporting agencies or the AG is necessary include things like number of state residents affected, type of information compromised.  In many states the compromise of a person's first and last name and password (as occured in the SolusVM breaches) would be enough to trigger the breach notification laws. 

All states with breach notification laws also have hefty fines if the notification procedure isn't followed exactly.  The statute of limitation for filing a complaint against a company that failed to follow the procedures in most states varies from 1-2 years.

edited for typo :p
 
Last edited by a moderator:
Top