The New York Office of the Attorney General (OAG) has issued a new guide to help businesses adopt effective data-security measures to better protect New Yorkers’ personal information. The guide is drawn from the OAG’s experience investigating and prosecuting businesses following cybersecurity breaches, the office said in its April 19 announcement. The guide offers a […]
The New York Office of the Attorney General (OAG) has issued a new guide to help businesses adopt effective data-security measures to better protect New Yorkers’ personal information.
The guide is drawn from the OAG’s experience investigating and prosecuting businesses following cybersecurity breaches, the office said in its April 19 announcement.
The guide offers a series of recommendations intended to help companies prevent breaches and secure their data.
“When businesses are entrusted with sensitive customer information, they carry both a legal and moral responsibility to protect it against data breaches,” New York Attorney General Letitia James said in a statement. “In today’s digital world, companies cannot afford to take risks with consumers’ personal information. Businesses can and must do more to protect New Yorkers from identity theft and fraud. The security guide created by my office has recommendations to help keep New York businesses ahead of cybercriminals and better able to protect consumers’ personal and financial information.”
Cybercriminals target consumers’ personal information to make money, either through identity theft or by coercing the company to pay a ransom. One of the “most sensitive” pieces of information is a consumer’s Social Security number. With a Social Security number, an attacker can open financial accounts in the victim’s name and collect federal and state benefits.
Last year, OAG dealt with reports of 1,876 data-breach incidents that involved the exposure of Social Security numbers, affecting more than 3.2 million New Yorkers, James’ office said.
The guide discusses some data-security failures found in recent data-security investigations and recommends practices business should adopt to “better secure” their systems, fortify their networks, and strengthen their data-security measures.
Tips from the guide
Some important tips from OAG guide include:
Maintain controls for secure authentication. For businesses that store customer information, strong authentication procedures can help ensure that only authorized individuals can access the data. Strong authentication procedures can include multi-factor authentication and password policies that require passwords to be “unique and complex.”
Encrypt sensitive customer information. Encrypting sensitive information, such as Social Security numbers, can help protect the information from hackers who are able to overcome other defenses.
Ensure your service providers use reasonable security measures. Businesses that allow third-party vendors to access customer information should ensure that these vendors use appropriate data-security measures to safeguard the information. In most cases, this would include diligence in selecting vendors with appropriate data-security programs, building security expectations into contracts, and monitoring vendors’ work to ensure compliance.
Know where you keep consumer information. A business cannot properly protect customer information if it does not know where that information is kept. Business should maintain an asset inventory that tracks where customer information is stored.
Guard against automated attacks. “Credential stuffing” continues to be one of the most common forms of attack on customer accounts. This type of attack typically involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. That’s why businesses that maintain online accounts for their customers should have a data-security program in place that includes effective safeguards for protecting customers from credential-stuffing attacks. In January 2022, OAG released a business guide for credential-stuffing attacks that detailed four areas in which safeguards should be maintained, and specific safeguards that have been “found to be effective,” James’s office said.
Notify consumers quickly and accurately of a data breach. If a business has a data breach, it is “crucial” that customers are informed in a “timely and accurate” way so they can take steps to protect themselves. When businesses instead issue “misleading statements downplaying the scope or severity of an attack,” it can give customers a false sense of security and violate New York law, per James’ office.