New York Attorney General: Data Breaches Will Cost You – Privacy Protection | #emailsecurity | #phishing | #ransomware



To print this article, all you need is to be registered or login on Mondaq.com.

As the rate of international cyberattacks increases, it is
essential that corporations that collect and store their
customers’ personal data keep it safe from breaches. But even
large corporations can be slow to act in order to implement
effective data protection. Recent enforcement actions reveal that
New York is among the states leading the way in investigating and
fining corporations for both actual and potential data breach
situations. Within the past month alone, Attorney General Letitia
James (“NYAG”) secured monetary settlements and consent
agreements from two large corporations who failed to maintain
adequate administrative, technical and physical safeguards as
required by New York law.

In the first, the NYAG joined 45
other states in recovering $1.25 million from Carnival Cruise Line.
After Carnival first reported a 2019 data breach
in 2020 — ten months after becoming aware of suspicious
activity on its servers — the states launched an investigation as
a possible violation of their data breach notification laws. It
revealed that Carnival’s storage of personal information was
unstructured and disorganized, and included personal information
stored via email and exposed to potential intruders. As a result,
in addition to imposing the fine, the states required Carnival to
implement a breach response and notification plan, institute email
security training for employees, add multi-factor authentication
for remote email access, use strong passwords with rotation and
secure storage, and implement enhanced logging of network
activities and independent security assessments.

The NYAG also recently secured a $400,000 settlement from
Wegmans Supermarkets for exposing the personal information of more
than three million consumers, including 830,000 New Yorkers.
Wegmans had stored its customers’ names, email addresses and
driver’s license numbers in a manner that left the information
unsecured and exposed to potential hackers. The state’s
investigation also revealed that Wegmans had left over three
million records of customer email addresses and passwords in an
unsecured Microsoft Azure container for over 39 months.

Significantly in the Wegmans case, the NYAG found violations of
New York State laws even though there was no evidence that a data
breach had occurred. Rather, the NYAG took a page out of the
FTC’s playbook and found Wegmans to be in violation of New York Executive Law 63(12)
for repeated fraudulent activities. Wegmans had assured customers
in its privacy policy that “securing your information is our
top priority” and that it had technical safeguards in place to
do so. The NYAG also found that Wegmans violated GBL § 899-bb, also known
as the New York SHIELD Act. That law, made effective in 2020,
requires New York businesses to maintain reasonable cybersecurity
protections commensurate with their size and the sensitivity of
data they collect. The NYAG identified in detail each of the
deficiencies that led to its charge, including Wegmans’ lack of
proper access controls, password management, security assessments,
logging and monitoring and data collection and retention. As with
Carnival, Wegmans was required to upgrade its data security
measures and revamp its collection and storage policies.

New York’s recent enforcement efforts in targeting deficient
data collection practices shows that it has moved to the forefront
among states in protecting its residents’ personal information.
Businesses that collect data from New York residents would do well
to take note, and to ensure that their security measures meet the
state’s standards. Mintz’s privacy attorneys are well versed
in the applicable laws and can assist businesses that who collect
personal data from New Yorkers to ensure that they are doing so
safely and legally.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

Coming Soon: A Federal Privacy Policy Mandate

Klein Moynihan Turco LLP

Recently, a bipartisan coalition in Congress introduced a federal privacy bill, known as the American Data Privacy and Protection Act (“ADPPA”). The bill would, if passed, represent a sweeping change…



Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published.

38 + = forty three