Amid the ongoing flood of computer thefts, network hacks, and other breaches of personal data comes a sign that businesses and government agencies can actually be held accountable, more or less, for putting people&39;s identities at risk. To wit: New York Attorney General Andrew Cuomo has announced a settlement with CS Stars, a Marsh Inc. affiliate, which the AG had accused of violating New York&39;s breach notification law in a case involving some 540,000 New Yorkers.

The story started almost exactly one year ago. On May 9, 2006, a computer disappeared from a secured facility of the Chicago-based claims management company. The missing computer contained the personal information of more than half a million New Yorkers, most of them recipients of workers&39; compensation benefits — including their names, addresses, and Social Security numbers.

This was bad, but what the company allegedly did next made matters even worse. According to the New York AG, CS Stars failed to notify the state that the data was missing until June 29, some seven weeks after the theft. At that point, CS Stars also brought in the FBI — which asked the company to delay notifying consumers even further to protect its investigation.

The egregious result: the 540,000 New Yorkers whose information had been stolen on May 9 first learned of the theft on July 18, more than two months later.

We should note for the record that under the terms of the agreement, the company admits no violation of any laws, and that it has noted in a statement that "there is no assertion of guilt leveled by the New York attorney general&39;s office."

But let&39;s be honest: The company had a clear obligation under the law, and no good excuse for not knowing it — especially given that it operates in a highly regulated industry. Under New York&39;s Information Security Breach and Notification Law, any business that maintains personal information that it doesn&39;t own must notify the data&39;s owner of any security breach "immediately following discovery" and notify all affected consumers in the most "expedient time possible." The attorney general, the Consumer Protection Board, and the New York Office of Cyber Security also must be notified.

Now, I&39;m no lawyer. But tell me, in what universe does seven weeks after the breach count as "immediate"?

Here&39;s where everyone involved got extremely lucky. On July 25, the missing computer was found, and forensic investigators concluded that the sensitive information had not been accessed. It&39;s a good thing, too, because two months with the names, addresses, and SSNs of half a million unsuspecting consumers would have been a field day for identity thieves — and could have left their victims cleaning up the mess for years and watching their backs for decades.

"CS Stars is pleased that no customer data was used inappropriately by the individual who stole the computer from our premises," the company said in a statement on the settlement, "and that there is no assertion of guilt leveled by the New York attorney general&39;s office. We are pleased to now have [sic] this matter behind us and have no further comment."

It&39;s no wonder CS Stars is "pleased" to have this near-disaster in the rear-view mirror. In light of the bullet they dodged, the company got off easy: CS Stars has agreed to implement precautionary procedures, comply with New York&39;s notification law in the event of another breach, and pay the AG&39;s office $60,000 to cover the costs of the investigation.

While it&39;s always a pleasure to see a company promise to obey the law, it&39;s not much of a concession. And 60 grand is chump change compared to the identity theft nightmare that CS Stars — and half a million New Yorkers — might have faced. As for those "precautionary procedures," encrypting sensitive data would be an obvious place to start — but wasn&39;t that just as obvious before the breach?

Meanwhile, for all its shortcomings, this agreement is a baby step in the right direction. The problem is that baby steps are no longer enough — which brings us to next week&39;s topic: the President&39;s Identity Theft Task Force report. See you then.