As the rate of international cyberattacks increases, it is essential that corporations that collect and store their customers’ personal data keep it safe from breaches. But even large corporations can be slow to act in order to implement effective data protection. Recent enforcement actions reveal that New York is among the states leading the way in investigating and fining corporations for both actual and potential data breach situations. Within the past month alone, Attorney General Letitia James (“NYAG”) secured monetary settlements and consent agreements from two large corporations who failed to maintain adequate administrative, technical and physical safeguards as required by New York law.
In the first, the NYAG joined 45 other states in recovering $1.25 million from Carnival Cruise Line. After Carnival first reported a 2019 data breach in 2020 — ten months after becoming aware of suspicious activity on its servers — the states launched an investigation as a possible violation of their data breach notification laws. It revealed that Carnival’s storage of personal information was unstructured and disorganized, and included personal information stored via email and exposed to potential intruders. As a result, in addition to imposing the fine, the states required Carnival to implement a breach response and notification plan, institute email security training for employees, add multi-factor authentication for remote email access, use strong passwords with rotation and secure storage, and implement enhanced logging of network activities and independent security assessments.
The NYAG also recently secured a $400,000 settlement from Wegmans Supermarkets for exposing the personal information of more than three million consumers, including 830,000 New Yorkers. Wegmans had stored its customers’ names, email addresses and driver’s license numbers in a manner that left the information unsecured and exposed to potential hackers. The state’s investigation also revealed that Wegmans had left over three million records of customer email addresses and passwords in an unsecured Microsoft Azure container for over 39 months.
New York’s recent enforcement efforts in targeting deficient data collection practices shows that it has moved to the forefront among states in protecting its residents’ personal information. Businesses that collect data from New York residents would do well to take note, and to ensure that their security measures meet the state’s standards.
©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume XII, Number 213