Attorney General introduces data security guide for businesses

April 21, 2023 Rob Abruzzese

New York’s Attorney General Letitia James.
Photo: Seth Wenig/AP.

Share this:

New York Attorney General Letitia James has unveiled a comprehensive guide designed to help businesses enhance their data security measures and more effectively safeguard the personal information of New York residents.

The guide was developed using insights gained from the Office of the Attorney General’s (OAG) experience in investigating and prosecuting companies after cybersecurity breaches. It offers a range of recommendations to prevent such incidents from occurring.

“When businesses are entrusted with sensitive customer information, they carry both a legal and moral responsibility to protect it against data breaches,” said Attorney General James. “In today’s digital world, companies cannot afford to take risks with consumers’ personal information. Businesses can and must do more to protect New Yorkers from identity theft and fraud. The security guide created by my office has recommendations to help keep New York businesses ahead of cybercriminals and better able to protect consumers’ personal and financial information.”

In 2022, the OAG reported 1,876 data breach incidents that exposed social security numbers, affecting over 3.2 million New Yorkers. Cybercriminals seek out personal information to commit identity theft, open fraudulent financial accounts, and collect federal and state benefits.

The guide examines data security failures identified in recent investigations and suggests practices for businesses to fortify their systems, networks, and data security measures. Some of the key tips from the guide include implementing secure authentication controls to ensure only authorized individuals can access customer data. This involves using multi-factor authentication and strong password policies.

Additionally, businesses should encrypt sensitive customer information like social security numbers to protect them from hackers. They should also make sure third-party vendors use reasonable security measures when handling customer information. This involves being diligent when selecting vendors, incorporating security expectations into contracts, and monitoring vendor compliance.

Businesses must maintain an asset inventory that keeps track of where customer information is stored. They should also guard against automated attacks, such as credential stuffing, as detailed in the OAG’s January 2022 business guide.

Companies must also notify consumers quickly and accurately if a data breach occurs. Timely and accurate notifications enable customers to take necessary protective measures, avoiding the risk of providing a false sense of security.

“Cybersecurity threats are on the rise, and New Yorkers need to feel sure that the businesses they interact with are keeping their data secure,” said State Senator Kristen Gonzalez. “This guide gives businesses the tools and advice they need to protect New Yorkers’ information. I am grateful to the Attorney General for leading on this issue, and I look forward to working together to advance cybersecurity in New York state.”