The guidance is based on OAG’s experience prosecuting data breaches, and the tips will help businesses strengthen data protection.
New York Attorney General Letitia James released a statement today A guide to help businesses take effective data security measures Better protect the personal information of New Yorkers. The guidance draws on the experience of the Office of the Attorney General (OAG) in investigating and prosecuting businesses following cybersecurity breaches. The guidance provides a series of recommendations designed to help companies prevent breaches and protect their data.
“When businesses are entrusted with sensitive customer information, they have a legal and moral responsibility to protect that information from data breaches,” said attorney general james“In today’s digital world, companies cannot afford to risk consumers’ personal information. Businesses can and must do more to protect New Yorkers from identity theft and fraud. Helping New York businesses stay one step ahead of cybercriminals and better protect consumers’ personal and financial information.”
Cybercriminals target consumers’ personal information to make money through identity theft or by holding companies to pay ransoms. One of the most sensitive pieces of information is a consumer’s social security number. Armed with a Social Security number, an attacker could open financial accounts in the victim’s name and collect federal and state benefits. Last year, 1,876 data breaches involving compromised Social Security numbers were reported to OAG, affecting more than 3.2 million New Yorkers.
The guidance discusses some of the data security failures identified in recent data security surveys and recommends steps businesses should take to better protect their systems, harden their networks, and strengthen their data security measures. Some important tips from the OAG guidelines include:
-
Maintain control over secure authentication. For businesses that store customer information, strong authentication procedures can help ensure that only authorized individuals can access data. Strong authentication procedures can include multi-factor authentication and password policies that require passwords to be unique and complex. -
Encrypt sensitive customer information. Encrypting sensitive information, such as social security numbers, helps protect information from hackers who can overcome other defenses. -
Make sure your service provider uses reasonable security measures. Businesses that allow third-party vendors to access customer information should ensure that those vendors use appropriate data security measures to protect the information. In most cases, this will include diligently selecting suppliers with appropriate data security procedures, building security expectations into contracts, and monitoring the supplier’s work to ensure compliance. -
Know where you keep consumer information. Businesses cannot properly protect customer information if they do not know where the information is kept. Businesses should maintain an asset inventory to track where customer information is stored. -
Protect against automated attacks. “Credential stuffing” remains one of the most common forms of attack on customer accounts. This type of attack usually involves repeated attempts to log into online accounts using usernames and passwords stolen from other online services. That’s why businesses that maintain online accounts for their customers should have a data security plan that includes effective safeguards to protect customers from credential stuffing attacks. January 2022, OAG Publishes Credential Stuffing Attack Business Guidance It details four areas where safeguards should be maintained, as well as specific safeguards that have been found to be effective. -
Quickly and accurately notify consumers of data breaches. If a business experiences a data breach, it’s critical to promptly and accurately notify customers so they can take steps to protect themselves. Conversely, when businesses issue misleading statements that downplay the scope or severity of an attack, they may give customers a false sense of security and violate New York law.
“As technology continues to evolve, it is more important than ever to protect sensitive personal information,” said Westchester County Executive George Latimer“I thank Attorney General Letitia James for his efforts to provide this guidance to help businesses better protect the data of New Yorkers. By adopting these recommendations, companies can strengthen their security measures and help prevent cyberattacks.”
“Cybersecurity threats are on the rise, and New Yorkers need to be confident that the businesses they interact with are keeping their data safe,” said State Senator Kristen Gonzalez“This guidance provides businesses with the tools and recommendations they need to protect the information of New Yorkers. I thank the Attorney General for his leadership on this issue, and I look forward to working together to advance cybersecurity in New York State.”
“Last year, more than 3.2 million New Yorkers were affected by a data breach involving the exposure of their Social Security numbers,” said State Senator Brad Hoylman-Sigal“In our technology-dependent society, New Yorkers trust and rely on businesses to protect their personal information. I am grateful to Attorney General James for creating this robust and accessible data security guidance that will help our businesses be more Better protect consumers from identity theft and fraud.”
“As chair of the Consumer Protection Commission, I take data privacy and Internet security very seriously,” he said State Senator Kevin Thomas. “I thank Attorney General James and her staff for producing this helpful guide to easily share ways our New York businesses can implement better data protections. I urge businesses of all sizes to utilize this important resource to protect individuals Information is protected from disclosure that could negatively impact its employees and customers.”
“Too many New Yorkers are victimized by identity and data theft each year,” said State Senator Sam Labrook“As technology continues to advance across industries, New York must act to ensure businesses have the resources they need to better protect customer data. I thank the Attorney General for his leadership on this issue and look forward to continuing to work together to protect New Yorkers .”
“As technology advances, our online consumer protection guidelines need to keep pace,” said MP Nily Rozic. “This guidance will help consumers better protect themselves and their data both online and offline. I thank Attorney General James for making consumer protection a priority in an evolving world.”
“Customers expect businesses to keep their personal data safe,” says MP Monica Wallace“However, this information is often compromised by sophisticated cybercriminals. I applaud Attorney General James for his aggressive efforts to educate business owners on cybersecurity best practices so we can better protect consumers from identity theft, fraud and related crimes.”
“Data breaches can have serious consequences for businesses and consumers whose personal information was compromised,” he said New York City Council Member Jennifer Gutierrez“Often the consumers who suffer the most from a cybersecurity breach are often the ones who can’t afford it. I applaud Attorney General James for issuing these critical business guidelines that will help even the smallest businesses protect their and their customers’ data from cybercriminals.”
“The business community welcomes Attorney-General Letitia James’ support of our efforts to protect customers and employees from identity theft,” said Kathryn Wylde, President and CEO, Partnership for New York City“We look forward to working with her office to combat illegal online activity that is harming individuals and companies at an increasing rate.”
“It’s great to see that the New York Attorney General is providing tools and practical resources to help small businesses deal with the increase in cybersecurity attacks,” said Yael Grauer, Program Manager, Safety Planner, Consumer Reports“This guide contains valuable information on the importance of encryption, multi-factor authentication, wiping out obsolete data and accounts, and other steps to help companies comply with laws and respond to security threats.”
“New Yorkers rely on digital tools in every aspect of their lives and jobs, and now, more than ever, it’s important that they feel confident they can use them safely,” he said Tech:NYC President and Executive Director Julie Samuels“We applaud the Attorney General for thoughtfully addressing this issue and issuing guidance to protect the personal and financial data of New Yorkers in a manner that is conducive to customer security and business operations.”
Attorney General James has taken a number of actions to hold companies accountable for poor cybersecurity. December 2022, Attorney General James Received $200,000 from student cap and gown maker Herff Jones, failing to protect consumers’ personal information. October 2022, Attorney General James Announces $1.2 million agreement with owners of SHEIN and Zoetop Failure to properly handle data breaches compromised the personal information of millions of consumers across the country. June 2022, Attorney General James Get $400,000 from Wegmans And requires retailers to improve data storage security after data breaches expose consumers’ personal information. March 2022, Attorney General James Consumer Alert issued, advising T-Mobile customers Take appropriate steps to protect their personal information after a data breach.
This guidance is published by the Internet and Technology Bureau, and the surveys cited were conducted by the Internet and Technology Bureau.
