On April 19th, New York’s Attorney General, Letitia James, released a document titled, “Protecting consumer’s personal information: Tips for businesses to keep data safe and secure” (the “guide”), a resource to help businesses adopt effective data security measures. It draws on the Office of the Attorney General’s (“OAG”) experience investigating and prosecuting cybersecurity breaches, and highlights findings from such investigations. The guide can be found here.

Just last year, OAG investigated multiple large companies for inadequate cybersecurity practices. OAG obtained a USD$1.25 million settlement with Carnival Cruise Line following the unauthorized access of employee email accounts which exposed customers’ sensitive personal information, settled with T-Mobile after its failure to provide sufficient vendor oversight leading to the unauthorized access of customer information stored on a vendor’s network, and reached a USD$400,000 settlement with Wegmans after the supermarket chain’s cloud storage containers were inadvertently configured to allow public access. Overall, 4,000 data breach incident notifications were received by the OAG in 2022, providing ample opportunity for OAG to exercise its enforcement discretion.

The guide recommends data practices that companies should adopt to protect their systems. The recommendations from the guide include:

1. Maintain controls for secure authentication, with a preference for multi-factor authentication and strong password requirements.

2. Encrypt sensitive customer information.

3. Ensure service providers use reasonable security measures, including carefully selecting service providers, building security expectations into contracts, and monitoring service providers.

4. Know where you keep consumer information to prevent unauthorized and public access.

5. Guard against data leakage in web applications, including by masking sensitive information.

6. Protect customer accounts impacted in data security incidents, including resetting passwords of accessed accounts and notifying impacted users when necessary.

7. Delete or disable unnecessary accounts, which may be vulnerable to unauthorized access.

8. Guard against automated attacks. Tips specific to this recommendation can be found in an earlier guide on credential stuffing attacks, here.

9. Provide clear and accurate notice to consumers. Misleading statements following a data breach can violate New York Law.

Although this guide does not constitute a legal requirement or official New York State policy, the OAG hopes companies implement its recommendations to lower their risk of data breaches. It is likely that these measures will become part of the suite of best practices adopted by the privacy sector to mitigate risk, including on the litigation front, where the adequacy of a company’s cyber controls in the wake of a data breach continues to be an area of focus by the plaintiff’s bar.

Sasha Kiosse also contributed to this article.