New York Attorney General Letitia James recently published a guide to help companies in preparing their data security programs and responding to data security incidents. The security program recommendations are paired with highlights from recent investigations by the Attorney General that provide valuable insights into what the Attorney General views as data security pitfalls that should be remedied.

The guide contains nine items the AG recommends including in data security programs. These include security measures like use of multifactor authentication and complex passwords, encryption of sensitive data, and deletion of old or unused accounts. It also includes policy advice like maintaining a data storage map so companies know where sensitive data is located, and proper auditing of vendor information security practices. Importantly, two of the nine recommendations focus on responding to a data security incident, which makes clear that incident response is an essential part of a well-rounded data security program.

Putting it into Practice: The guide puts companies on notice of some of the key factors the NY Attorney General’s office looks for in their data breach investigations. By including practical examples, the AG signals a clear list of features that should be addressed in every data security program.