New York AG Releases Guide for Businesses on Effective Data Security
Saturday, May 6, 2023
NY Attorney General Enforcement of NY Shield Act
Print Mail Download i

As noted in a prior post, New York’s Attorney General (“NYAG”) has made enforcement of the New York SHIELD Act  an enforcement priority. The SHIELD Act requires organizations handling personal information related to New York residents to maintain reasonable safeguards to protect that information.  Maintaining its focus on this area, the NYAG recently released a guide to help organizations strengthen their data security programs and “to put [them] on notice that they must take their data security obligations seriously, and at a minimum, take the reasonable steps outlined” in the NYAG’s guide (the “Guide”).   

The Guide is based on the NYAG’s experiences in investigating and prosecuting organizations in the wake of data incidents.  It states that the NYAG received 4,000 data breach notifications in 2022 and penalized organizations millions of dollars for failing to comply with their data security obligations.

In the Guide, the NYAG recommends action in nine areas.  Specifically, it directs organizations to:

  1. Maintain controls for secure authentication to ensure only authorized individuals have access to data.
  2. Encrypt sensitive customer information
  3. Ensure service providers use reasonable security measures
  4. Know where the business is keeping consumer information
  5. Guard against data leakage in web applications
  6. Protect customer accounts impacted by data security incidents
  7. Delete or disable unnecessary accounts
  8. Guard against automated attacks
  9. Provide clear and accurate notice to consumers

The Guide recommends best practices related to each of the above recommendations and also highlights relevant cases the NYAG has investigated that implicate these areas.  Additionally, it incorporates by reference guidance the NYAG issued in 2022 regarding credential stuffing attacks, which outlines four areas in which safeguards should be maintained and certain safeguards may not be effective.

In light of the NYAG’s aggressive enforcement of the NY SHIELD Act, and the sharp rise in data breach-related litigation, organizations should take a close look at their data security programs – with the Guide as one reference point – to ensure they are appropriately managing risk.

Jackson Lewis P.C. © 2024

Current Legal Analysis

More from Jackson Lewis P.C.

Reconsidering Repayment Agreements with Foreign Employees
by: Amy L. Peck , Aimee Guthat
Tenth Circuit Upholds Court’s Refusal to Enjoin Federal Contractor Minimum Wage Hike
by: Brian E. Lewis , Laura A. Mitchell
Connecticut Legislature Passes Major Expansion of Paid Sick Leave Law
by: Justin E. Theriault
Live from Workplace Horizons 2024 — Episode 4: What Employers Need to Know About Today’s Challenges for Employers [Podcast]
by: Eric R. Magnus , Joseph J. Lynett
CBP Proposes Changes to Arrival and Departure Record, ESTA Systems
by: Carla Josephine Stenzel
A Deepfake of a Baltimore High School Principal Raises Significant Employment Issues
by: Joseph J. Lazzarotti
Live from Workplace Horizons 2024 — Episode 3: What Employers Need to Know About Being Compliant, Inclusive and Proactive [Podcast]
by: Felice B. Ekelman , Laura A. Mitchell
Tips for Restaurants, Retailers When Faced With Sabbath Day Requests
by: Andrew F. Maunz
Understanding Maryland’s New Wage Posting Law: A Guide for Employers
by: K. Joy Chin
Live from Workplace Horizons 2024 — Episode 2: What Employers Need to Know About Litigation and Investigations [Podcast]
by: Stephanie L. Adler-Paindiris , Lisa Barnett Sween

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins