[co-author: Stephanie Kozol]

Drawing from her experience investigating and prosecuting businesses in the aftermath of cybersecurity breaches, New York Attorney General Letitia James released a guide to help companies implement effective data security measures that will safeguard the personal information of New York consumers. The guide offers a range of recommendations intended to help companies prevent data breaches and fortify their data security protocols.

Specifically, the guide discusses recent data security failures and recommends practices that include:

1. Maintaining secure authentication controls, such as multifactor authentication and password policies regarding length and secure passwords;
2. Encrypting sensitive information like Social Security numbers;
3. Ensuring service providers use reasonable security measures;
4. Keeping track of where consumer information is stored;
5. Guarding against data leakage in web applications so as to only transmit data in unmasked form when appropriate;
6. Protecting cyber-impacted customer accounts by immediately resetting account passwords or by freezing relevant accounts;
7. Deleting or disabling unnecessary accounts;
8. Guarding against automated attacks through effective safeguards against “credential stuffing attacks”; and
9. Notifying consumers of data breaches quickly, clearly, and accurately.

The guide also warns businesses against issuing misleading statements about data breaches and violating New York law.

What It Matters

The guide provides businesses with best practices to ensure that New Yorkers can “navigate the digital world safely and responsibly.” We suspect that the AG’s office will use these practices as its standard blueprint in future AG cybersecurity or data breach investigations.