New York Attorney General Letitia James has released a comprehensive guide aimed at helping companies bolster their data security measures and protect the personal information of New York consumers. Drawing from her experience in investigating and prosecuting businesses following cybersecurity breaches, the guide outlines a variety of recommendations to prevent data breaches and strengthen data security protocols. This news is particularly important as it underscores the growing need for businesses to prioritize data security in the digital age.
“When businesses are entrusted with sensitive customer information, they carry both a legal and moral responsibility to protect it against data breaches,” said James. “In today’s digital world, companies cannot afford to take risks with consumers’ personal information. Businesses can and must do more to protect New Yorkers from identity theft and fraud. The security guide created by my office has recommendations to help keep New York businesses ahead of cybercriminals and better able to protect consumers’ personal and financial information.”
The guide examines recent data security failures and offers best practices:
- Maintain controls for secure authentication. For businesses that store customer information, strong authentication procedures can help ensure that only authorized individuals can access the data. Strong authentication procedures can include multi-factor authentication and password policies that require passwords to be unique and complex.
- Encrypt sensitive customer information. Encrypting sensitive information, such as social security numbers, can help protect the information from hackers who are able to overcome other defenses.
- Ensure your service providers use reasonable security measures. Businesses that allow third-party vendors to access customer information should ensure that these vendors use appropriate data security measures to safeguard the information. In most cases, this would include diligence in selecting vendors with appropriate data security programs, building security expectations into contracts, and monitoring vendors’ work to ensure compliance.
- Know where you keep consumer information. A business cannot properly protect customer information if it does not know where that information is kept. Business should maintain an asset inventory that tracks where customer information is stored.
- Guard against automated attacks. “Credential stuffing” continues to be one of the most common forms of attack on customer accounts. This type of attack typically involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. That’s why businesses that maintain online accounts for their customers should have a data security program in place that includes effective safeguards for protecting customers from credential stuffing attacks. In January 2022, OAG released a business guide for credential stuffing attacks that detailed four areas in which safeguards should be maintained, and specific safeguards that have been found to be effective.
- Notify consumers quickly and accurately of a data breach. If a business experiences a data breach, it is crucial that customers are informed in a timely and accurate way so they can take steps to protect themselves. When businesses instead issue misleading statements downplaying the scope or severity of an attack, it can give customers a false sense of security and violate New York law.
“Cybersecurity threats are on the rise, and New Yorkers need to feel sure that the businesses they interact with are keeping their data secure,” said State Senator Kristen Gonzalez. “This guide gives businesses the tools and advice they need to protect New Yorkers’ information. I am grateful to the Attorney General for leading on this issue, and I look forward to working together to advance cybersecurity in New York state.”
“Last year, more than 3.2 million New Yorkers were affected by data breaches involving the exposure of their social security numbers,” said State Senator Brad Hoylman-Sigal. “In our technology-dependent society, New Yorkers trust and rely on businesses to protect their personal information. I am grateful Attorney General James created this robust and accessible data security guide that will help our businesses better protect consumers from identity theft and fraud.”
“As Chair of the Consumer Protection Committee, I take data privacy and internet security very seriously,” said State Senator Kevin Thomas. “I thank Attorney General James and her staff for creating this helpful guide to easily share ways that our New York businesses can enact better data protections. I urge businesses of all sizes to utilize this great resource on ways to secure personal information from breaches that could have negative consequences on their employees and customers.”
The History of Cybersecurity in New York: A Glimpse at Regulations and Laws
New York has always been at the forefront of advancements in various sectors, and the field of cybersecurity is no exception. As the digital age progresses, the importance of safeguarding our virtual assets grows more critical. With a history of regulatory measures and laws focused on enhancing cybersecurity, New York has become a model for other states to follow. In this article, we will delve into the history of cybersecurity in New York and explore key regulations and laws that have shaped the state's approach to this critical issue.
Early Beginnings of Cybersecurity in New York:
The history of cybersecurity in New York can be traced back to the late 1990s and early 2000s when the state began to recognize the need for a more robust digital infrastructure. This led to the establishment of the New York State Office of Cyber Security (NYSOCS) in 2002. The NYSOCS aimed to protect state-owned information systems and critical infrastructure from cyber threats, as well as to raise public awareness about cyber risks.
New York's Regulatory Framework:
- The New York State Information Security Breach and Notification Act (2005)
As a response to growing concerns about identity theft, New York passed the Information Security Breach and Notification Act in 2005. This act requires businesses operating in the state to notify New York residents of security breaches that involve their personal information. By doing so, it encourages businesses to adopt stronger cybersecurity measures to protect their customers' data.
- New York's DFS Cybersecurity Regulation (2017)
In 2017, the New York Department of Financial Services (DFS) implemented one of the most comprehensive cybersecurity regulations for financial institutions in the U.S. The 23 NYCRR 500 regulation requires banks, insurance companies, and other financial services institutions to establish and maintain a comprehensive cybersecurity program to protect consumer data and the overall financial system. Key components of the regulation include risk assessments, employee training, vendor management, incident response planning, and reporting requirements.
- Stop Hacks and Improve Electronic Data Security (SHIELD) Act (2019)
In an effort to strengthen consumer data privacy protections, New York enacted the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in 2019. The SHIELD Act expands the definition of a data breach and introduces more stringent data security requirements for businesses that handle private information of New York residents. It also imposes stricter penalties for non-compliance, making it an essential law for businesses to adhere to.
Why This New Comprehensive Guide Is Important
This guide is significant because it emphasizes the importance of robust data security measures for businesses, given the increasing risk of cyber threats. By providing best practices for companies to follow, it enables New Yorkers to navigate the digital world more safely and responsibly. Furthermore, it is expected that the Attorney General's office will use these practices as a standard blueprint in future cybersecurity or data breach investigations, thereby reinforcing the necessity for businesses to adopt these recommended measures.