New York AG Remains Active On The Data Security Enforcement Front

Damon Silver
Jackson Lewis P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

In yet another example of its focus on imposing greater data security accountability, the New York Attorney General (“NYAG”) recently announced a significant settlement with Marymount Manhattan College (“the College”).  The settlement stems from a data breach to which the College was subject in 2021.  Following an investigation, which, according to the NYAG, revealed inadequacies in the College’s data security program, the NYAG secured a commitment from the College to invest $3.5 million over the next six years to bolster that program.  Specifically, the College committed to:

  • maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
  • encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
  • maintaining reasonable policies to perform security updates and patch management;
  • enabling multifactor authentication for users logging into the College’s networks;
  • scanning for vulnerabilities and potential weaknesses; and
  • publicly sharing the College’s plans for collecting, retaining, and deleting personal information.

In its press release announcing the settlement, the NYAG made a point of highlighting some of its other recent six- and seven-figure settlements with organizations that have experienced data breaches, including organizations in the sportswear, healthcare, clothing, supermarket, and e-commerce spaces.  The NYAG also referenced the data security guidance it issued in April 2023, which we discussed here, outlining safeguards the NYAG views as high-priority, including access controls, encryption of sensitive information, service provider vetting and contracting, data mapping, and incident response planning. 

Given the NYAG’s heightened enforcement posture over the past couple of years, as well as the recent bolstering of the New York Department of Financial Service’s cybersecurity regulations, which we discussed here, organizations that process personal information relating to New York residents face increased pressure to continuously assess the adequacy of their data security programs and to make timely upgrades.    

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Lewis P.C. | Attorney Advertising

Written by:

Jackson Lewis P.C.
Jackson Lewis P.C.
Contact
more
less

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide