Attorney General James Releases Data Security Guide to Help Businesses Better Protect Consumers' Personal Information

 

Guide Based on OAG Experience Prosecuting Data Breaches, Tips Will Help Businesses Strengthen Data Protection

 New York Attorney General Letitia James today released a guide to help businesses adopt effective data security measures to better protect New Yorkers’ personal information. The guide is drawn from the Office of the Attorney General’s (OAG) experience investigating and prosecuting businesses following cybersecurity breaches. The guide offers a series of recommendations intended to help companies prevent breaches and secure their data.

“When businesses are entrusted with sensitive customer information, they carry both a legal and moral responsibility to protect it against data breaches,” said Attorney General James. “In today’s digital world, companies cannot afford to take risks with consumers’ personal information. Businesses can and must do more to protect New Yorkers from identity theft and fraud. The security guide created by my office has recommendations to help keep New York businesses ahead of cybercriminals and better able to protect consumers’ personal and financial information.”

Cybercriminals target consumers’ personal information to make money, either through identity theft or by coercing the company to pay a ransom. One of the most sensitive pieces of information is a consumer’s social security number. With a social security number, an attacker can open financial accounts in the victim’s name and collect federal and state benefits. Last year, there were 1,876 data breach incidents reported to OAG that involved the exposure of social security numbers, affecting over 3.2 million New Yorkers.

The guide discusses some data security failures found in recent data security investigations and recommends practices business should adopt to better secure their systems, fortify their networks, and strengthen their data security measures. Some important tips from OAG's guide include:

• Maintain controls for secure authentication. For businesses that store customer information, strong authentication procedures can help ensure that only authorized individuals can access the data. Strong authentication procedures can include multi-factor authentication and password policies that require passwords to be unique and complex.
• Encrypt sensitive customer information. Encrypting sensitive information, such as social security numbers, can help protect the information from hackers who are able to overcome other defenses.
• Ensure your service providers use reasonable security measures. Businesses that allow third-party vendors to access customer information should ensure that these vendors use appropriate data security measures to safeguard the information. In most cases, this would include diligence in selecting vendors with appropriate data security programs, building security expectations into contracts, and monitoring vendors’ work to ensure compliance.
• Know where you keep consumer information. A business cannot properly protect customer information if it does not know where that information is kept. Business should maintain an asset inventory that tracks where customer information is stored.
• Guard against automated attacks. “Credential stuffing” continues to be one of the most common forms of attack on customer accounts. This type of attack typically involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. That’s why businesses that maintain online accounts for their customers should have a data security program in place that includes effective safeguards for protecting customers from credential stuffing attacks. In January 2022, OAG released a business guide for credential stuffing attacks that detailed four areas in which safeguards should be maintained, and specific safeguards that have been found to be effective.
• Notify consumers quickly and accurately of a data breach. If a business experiences a data breach, it is crucial that customers are informed in a timely and accurate way so they can take steps to protect themselves. When businesses instead issue misleading statements downplaying the scope or severity of an attack, it can give customers a false sense of security and violate New York law.

Attorney General James has taken several actions to hold companies accountable for having poor cybersecurity. In December 2022, Attorney General James secured $200,000 from a student cap and gown producer, Herff Jones, for failing to protect consumers’ personal information. In October 2022, Attorney General James announced a $1.2 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers nationwide. In June 2022, Attorney General James secured $400,000 from Wegmans and required the retailer to improve data storage security after a data breach exposed consumers’ personal information. In March 2022, Attorney General James issued a consumer alert advising T-Mobile customers to take appropriate steps to protect their personal information following a data breach. 

This guide was issued by, and the investigations cited were conducted by, the Bureau of Internet and Technology.