As noted in a prior post, New York’s Attorney General (“NYAG”) has made enforcement of the New York SHIELD Act  an enforcement priority. The SHIELD Act requires organizations handling personal information related to New York residents to maintain reasonable safeguards to protect that information.  Maintaining its focus on this area, the NYAG recently released a guide to help organizations strengthen their data security programs and “to put [them] on notice that they must take their data security obligations seriously, and at a minimum, take the reasonable steps outlined” in the NYAG’s guide (the “Guide”).   

The Guide is based on the NYAG’s experiences in investigating and prosecuting organizations in the wake of data incidents.  It states that the NYAG received 4,000 data breach notifications in 2022 and penalized organizations millions of dollars for failing to comply with their data security obligations.

In the Guide, the NYAG recommends action in nine areas.  Specifically, it directs organizations to:

  1. Maintain controls for secure authentication to ensure only authorized individuals have access to data.
  2. Encrypt sensitive customer information
  3. Ensure service providers use reasonable security measures
  4. Know where the business is keeping consumer information
  5. Guard against data leakage in web applications
  6. Protect customer accounts impacted by data security incidents
  7. Delete or disable unnecessary accounts
  8. Guard against automated attacks
  9. Provide clear and accurate notice to consumers

The Guide recommends best practices related to each of the above recommendations and also highlights relevant cases the NYAG has investigated that implicate these areas.  Additionally, it incorporates by reference guidance the NYAG issued in 2022 regarding credential stuffing attacks, which outlines four areas in which safeguards should be maintained and certain safeguards may not be effective.

In light of the NYAG’s aggressive enforcement of the NY SHIELD Act, and the sharp rise in data breach-related litigation, organizations should take a close look at their data security programs – with the Guide as one reference point – to ensure they are appropriately managing risk.

If you have questions or concerns regarding your organization’s data security program, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.