On April 19, 2023, the New York Attorney General (the “NYAG”) published new guidance (the “Guide”) recommending security measures for companies entrusted with consumers’ personal information. The Guide supplements the reasonable safeguards already outlined in the New York Shield Act, which, in part, requires covered entities to maintain reasonable security measures when handling personal information related to New York residents. The Guide reinforces practices that regulators have focused on, such as authentication, encryption, third-party risk management, and data governance. While the Guide’s recommendations are only advisory, it details the NYAG’s Shield Act enforcement actions on the issues, and the Guide is meant to put companies “on notice that they must take their data security obligations seriously.” Following its issuance, the NYAG announced additional Shield Act enforcement actions, including with Practicefirst Medical Management Solutions, that highlighted many of the security concerns highlighted in the Guide.
In this Debevoise Data Blog post, we examine the Guide’s data security recommendations and highlight the impact for companies that are subject to New York’s data security laws. But companies that are not subject to New York’s data security laws should also pay close attention; the Guide will undoubtedly raise the bar on what constitutes “reasonable security,” a standard expected by many states and cited by data breach plaintiffs.
NYAG Recommended Safeguards
While the Shield Act addresses reasonable safeguards more broadly, the Guide focuses on certain measures and outlines targeted steps that companies should take to protect consumers’ personal information. Specifically, the Guide focuses on the following:
- Implement Secure Authentication Procedures
Similar to guidance the New York Department of Financial Services released in 2021, the Guide encourages companies to have strong authentication measures in place to ensure that unauthorized individuals cannot access sensitive data. Specifically, internal administrative and remote-access employee accounts should have multifactor authentication (“MFA”) enabled, but the Guide also recommends that companies consider MFA for internal employee accounts and customer accounts. For password-protected systems, companies should require greater password complexity (such as symbols and numbers), compare user-chosen passwords against breached password databases, and prohibit the use of context-specific passwords (e.g., user name, date of birth). Companies should also use updated hashing methods—changing passwords into strings of letters and/or numbers to disguise them—to secure passwords against attacks.
- Ensure That Service Providers Adequately Safeguard Data
If service providers are used to manage consumer information, the Guide notes that companies should make sure that those providers have appropriate security measures in place (including the ones detailed in this blog post), put data security expectations into contracts, and monitor the providers to ensure compliance.
- Track Consumer Information
Companies should maintain an inventory of assets that contain consumer information. The Guide recommends that companies track where personal information (especially sensitive personal information) is kept so that they can conduct appropriate security testing and identify potential vulnerabilities earlier.
- Limit Sensitive Information in Web Applications
The Guide warns against disclosing sensitive information through websites or applications unless appropriate authentication is required and, typically, masking is applied. Companies should also audit web applications to ensure that sensitive data is only transmitted in unmasked form when necessary and appropriate.
- Utilize Encryption
Companies should use encryption to handle sensitive consumer information. If other defenses fail, encryption can ensure that any sensitive information found cannot be used.
- Implement Data Minimization Processes
We have previously offered tips for complying with data minimization requirements (such as automating the deletion of old files and restricting circumvention practices) and highlighted the Shield Act’s requirement to dispose of private information that is no longer needed for business purposes. The Guide recommends that companies regularly audit accounts to identify ones that have been inactive for an extended period of time. When employees leave, businesses should delete or disable employee accounts, especially those with access to sensitive information. Old and unused accounts are frequently used by attackers to gain access to systems.
- Guard Against Automated Attacks
We have discussed the threat of credential stuffing and ways for companies to mitigate risk. We recommended that companies implement MFA and use lists of commonly breached passwords to create password “prohibited lists” to prevent usage of weak passwords. The Guide urges companies that maintain online consumer accounts to implement effective safeguards, in particular, the safeguards found in the NYAG’s 2022 Business Guide for Credential Stuffing Attacks. Safeguards that were found to be highly effective include: bot detection services, MFA, and password-less authentication.
- Protect Consumer Accounts from Further Harm
When attackers compromise a consumer’s account, the Guide notes that companies should take swift action to secure the account to protect the consumer from further harm. Usually, this will require immediately resetting passwords or freezing impacted accounts. The Guide also reminds companies to provide consumers with notice that is timely and conveys accurate material information about the attack to enable them to take further protective actions themselves.
Consider conducting a compliance and risk assessment that maps your company’s controls with the recommendations in the Guide. Companies should examine their data security programs to ensure they are complying with New York’s data security laws. Here are a few points for companies to keep in mind when assessing the strength of their data security programs:
- Whether existing incident response plans enable protective actions for consumer (or other) accounts to be taken promptly and facilitate accurate and prompt communications;
- Whether existing encryption tools would, in the event of a data breach, prevent an attacker from actually reading any compromised data;
- Whether effective authentication procedures and masking are in place to protect sensitive data from unauthorized users in web applications; and
- Whether personal data has been inventoried to effectively monitor and ensure data minimization.
- Consider partnering with outside counsel and a consultant to understand your controls and map those controls to the requirements.
The NYAG expects proactive implementation of the recommendations. While the Guide does not create any new legal obligations for companies, the NYAG expects companies to incorporate these recommendations into their data security programs and has aligned the Guide with its approach to enforcement actions. Since issuing this guidance, the NYAG has continued its enforcement pattern, including by announcing a $550,000 settlement with Practicefirst Medical Management Solutions, alleging security failings also raised in the Guide—failure to use secure authentication measures on administrator accounts, failure to conduct security testing, failure to encrypt files, and failure to issue prompt notifications. This suggests that the NYAG may be increasingly less forgiving of entities that have not adopted its recommendations when investigating future cyber incidents.
The NYAG expects consumer notifications to be both timely and accurate. The Guide consistently emphasizes the need for transparency to all stakeholders with regards to the severity of a company’s data breach incident and warns that, in an enforcement matter, attempts to downplay the severity of a data breach may lead to an enforcement action. Companies should take special care to ensure not only that notifications are timely but that notifications provide sufficient information to properly convey the scope of an incident and that all incident communications have appropriate input from the incident response team.
Companies should consider implementing consistent security practices outside of New York. While the Guide is focused on the Shield Act, beyond New York, several states impose reasonable cybersecurity requirements on companies, including California, Maryland, and Oregon, and the Guide’s recommendations also align with the requirements of those other states. For example, in November 2022, the Massachusetts Attorney General obtained over $625,000 from settlements with Experian and T-Mobile because of the companies’ alleged failures to safeguard consumers’ personal information and notify affected consumers.
The Guide’s recommendations apply beyond the consumer context. While the Guide is focused on protecting consumer data, the Shield Act is applicable to other types of personal information, such as employee data, and state residents generally. Organizations should consider the applicability of the Guide’s recommendations to those broader categories.
To subscribe to our Data Blog, please click here.
The authors would like to thank Debevoise Summer Associate Kierra E. Booker for her work on this Debevoise Data Blog.
The cover art used in this blog post was generated by DALL-E.