Attorney General James Releases Data Security Guide to Help Businesses Better Protect Consumers' Personal Information

NEW YORK – New York Attorney General Letitia James today released a guide to help businesses adopt effective data security measures to better protect New Yorkers’ personal information. The guide is drawn from the Office of the Attorney General’s (OAG) experience investigating and prosecuting businesses following cybersecurity breaches. The guide offers a series of recommendations intended to help companies prevent breaches and secure their data.

“When businesses are entrusted with sensitive customer information, they carry both a legal and moral responsibility to protect it against data breaches,” said Attorney General James. “In today’s digital world, companies cannot afford to take risks with consumers’ personal information. Businesses can and must do more to protect New Yorkers from identity theft and fraud. The security guide created by my office has recommendations to help keep New York businesses ahead of cybercriminals and better able to protect consumers’ personal and financial information.”

Cybercriminals target consumers’ personal information to make money, either through identity theft or by coercing the company to pay a ransom. One of the most sensitive pieces of information is a consumer’s social security number. With a social security number, an attacker can open financial accounts in the victim’s name and collect federal and state benefits. Last year, there were 1,876 data breach incidents reported to OAG that involved the exposure of social security numbers, affecting over 3.2 million New Yorkers.

The guide discusses some data security failures found in recent data security investigations and recommends practices business should adopt to better secure their systems, fortify their networks, and strengthen their data security measures. Some important tips from OAG's guide include:

• Maintain controls for secure authentication. For businesses that store customer information, strong authentication procedures can help ensure that only authorized individuals can access the data. Strong authentication procedures can include multi-factor authentication and password policies that require passwords to be unique and complex.
• Encrypt sensitive customer information. Encrypting sensitive information, such as social security numbers, can help protect the information from hackers who are able to overcome other defenses.
• Ensure your service providers use reasonable security measures. Businesses that allow third-party vendors to access customer information should ensure that these vendors use appropriate data security measures to safeguard the information. In most cases, this would include diligence in selecting vendors with appropriate data security programs, building security expectations into contracts, and monitoring vendors’ work to ensure compliance.
• Know where you keep consumer information. A business cannot properly protect customer information if it does not know where that information is kept. Business should maintain an asset inventory that tracks where customer information is stored.
• Guard against automated attacks. “Credential stuffing” continues to be one of the most common forms of attack on customer accounts. This type of attack typically involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. That’s why businesses that maintain online accounts for their customers should have a data security program in place that includes effective safeguards for protecting customers from credential stuffing attacks. In January 2022, OAG released a business guide for credential stuffing attacks that detailed four areas in which safeguards should be maintained, and specific safeguards that have been found to be effective.
• Notify consumers quickly and accurately of a data breach. If a business experiences a data breach, it is crucial that customers are informed in a timely and accurate way so they can take steps to protect themselves. When businesses instead issue misleading statements downplaying the scope or severity of an attack, it can give customers a false sense of security and violate New York law.

“As technology continues to evolve, protecting sensitive personal information becomes more important than ever,” said Westchester County Executive George Latimer. “I appreciate the efforts of Attorney General Letitia James in providing this guide to help businesses better safeguard New Yorkers’ data. By adopting these recommendations, companies can strengthen their security measures and help prevent cyberattacks.”

“Cybersecurity threats are on the rise, and New Yorkers need to feel sure that the businesses they interact with are keeping their data secure,” said State Senator Kristen Gonzalez. “This guide gives businesses the tools and advice they need to protect New Yorkers’ information. I am grateful to the Attorney General for leading on this issue, and I look forward to working together to advance cybersecurity in New York state.”

“Last year, more than 3.2 million New Yorkers were affected by data breaches involving the exposure of their social security numbers,” said State Senator Brad Hoylman-Sigal. “In our technology-dependent society, New Yorkers trust and rely on businesses to protect their personal information. I am grateful Attorney General James created this robust and accessible data security guide that will help our businesses better protect consumers from identity theft and fraud.”

“As Chair of the Consumer Protection Committee, I take data privacy and internet security very seriously,” said State Senator Kevin Thomas. “I thank Attorney General James and her staff for creating this helpful guide to easily share ways that our New York businesses can enact better data protections. I urge businesses of all sizes to utilize this great resource on ways to secure personal information from breaches that could have negative consequences on their employees and customers.” 

“Too many New Yorkers are victimized each year by identity and data theft,” said State Senator Samra Brouk. “As technology continues to advance in different industries, New York must take action to ensure that businesses have the resources they need to better protect their customers’ data. I am grateful to the Attorney General for her leadership on this issue, and look forward to continuing to work together to protect New Yorkers.”

“As technology advances, our cyber consumer protections guidelines need to keep pace,” said Assemblymember Nily Rozic. “This guide will help consumers better protect themselves and their data both online and offline. I'm grateful to Attorney General James, who prioritizes consumer protection in an ever-evolving world.”

“Customers expect businesses to keep their personal data safe and secure,” said Assemblymember Monica Wallace. “Too often, however, that information is compromised by sophisticated cybercriminals. I commend Attorney General James for her proactive efforts to educate business owners on the best practices for cybersecurity, so we can better protect consumers from identity theft, fraud, and related crimes.”

“Data breaches can have serious consequences for both businesses and consumers whose personal information is compromised,” said New York City Council Member Jennifer Gutiérrez. “The consumers who usually suffer the most from cybersecurity breaches are often those that can least afford to. I commend Attorney General James for releasing these critically important guidelines for businesses, which will help even the smallest businesses protect their and their customers’ data from cybercriminals.”

“The business community welcomes the support of Attorney General Letitia James for our efforts to protect customers and employees from identify theft,” said Kathryn Wylde, President and CEO, Partnership for New York City. “We look forward to partnering with her office to combat illegal cyber activity that is victimizing individuals and companies at a growing rate.”

“It's great to see that the New York Attorney General is providing tools and practical resources to help small businesses cope with the rise in cybersecurity attacks,” said Yael Grauer, Program Manager, Consumer Reports’ Security Planner. “This guide contains valuable information about the importance of encryption, multi-factor authentication, purging outdated data and accounts, and other steps to help companies comply with the law and address security threats.”

“New Yorkers rely on digital tools in every aspect of how they live and work, and it’s more important than ever that they feel confident in being able to safely use them,” said Julie Samuels, President and Executive Director, Tech:NYC. “We commend the Attorney General for thoughtfully addressing this issue and releasing a guide that safeguards New Yorkers’ personal and financial data in a way that benefits customer safety and business operations alike.”

Attorney General James has taken several actions to hold companies accountable for having poor cybersecurity. In December 2022, Attorney General James secured $200,000 from a student cap and gown producer, Herff Jones, for failing to protect consumers’ personal information. In October 2022, Attorney General James announced a $1.2 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers nationwide. In June 2022, Attorney General James secured $400,000 from Wegmans and required the retailer to improve data storage security after a data breach exposed consumers’ personal information. In March 2022, Attorney General James issued a consumer alert advising T-Mobile customers to take appropriate steps to protect their personal information following a data breach. 

This guide was issued by, and the investigations cited were conducted by, the Bureau of Internet and Technology.