Drawing from her experience investigating and prosecuting businesses in the aftermath of cybersecurity breaches, New York Attorney General Letitia James released a guide to help companies implement effective data security measures that will safeguard the personal information of New York consumers. The guide offers a range of recommendations intended to help companies prevent data breaches and fortify their data security protocols.
Specifically, the guide discusses recent data security failures and recommends practices that include:
- Maintaining secure authentication controls, such as multifactor authentication and password policies regarding length and secure passwords;
- Encrypting sensitive information like Social Security numbers;
- Ensuring service providers use reasonable security measures;
- Keeping track of where consumer information is stored;
- Guarding against data leakage in web applications so as to only transmit data in unmasked form when appropriate;
- Protecting cyber-impacted customer accounts by immediately resetting account passwords or by freezing relevant accounts;
- Deleting or disabling unnecessary accounts;
- Guarding against automated attacks through effective safeguards against “credential stuffing attacks”; and
- Notifying consumers of data breaches quickly, clearly, and accurately.
The guide also warns businesses against issuing misleading statements about data breaches and violating New York law.
What It Matters
The guide provides businesses with best practices to ensure that New Yorkers can “navigate the digital world safely and responsibly.” We suspect that the AG’s office will use these practices as its standard blueprint in future AG cybersecurity or data breach investigations.
Troutman Pepper State Attorneys General Team
 | Ashley Taylor – Co-leader and Firm Vice Chair Ashley is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. He focuses primarily on federal and state government regulatory and enforcement matters involving state attorneys general, the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC). Drawing upon his experience as a deputy attorney general, Ashley has developed an extensive consumer practice with regard to the consumer financial services industry. |
 | Clay Friedman – Co-leader Clay is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. Informed by nearly a decade in a state attorneys general office, and more than 25 years in private practice, Clay spends much of his time representing clients in singular or multistate regulatory actions. Clay has repeatedly led teams before all 50 state attorneys general and also handles matters with the Federal Trade Commission, the Consumer Financial Protection Bureau, and other local, state and federal agencies. |
 | Judy Jagdmann Judy is a partner in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based in the Richmond office. She brings experience serving as chair and commissioner of the Virginia State Corporate Commission (VSCC) from 2006 through 2022, which includes regulating the utilities, insurance, banking, and securities industries. She also served as Virginia’s attorney general from 2005-2006. |
 | Stephen Piepgrass Stephen represents clients interacting with, and being investigated by, state attorneys general and other enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, particularly in heavily regulated industries. |
 | Avi Schick A former deputy attorney general of New York, Avi applies his experience in bet-the-company matters, representing clients in criminal and civil investigations and enforcement actions before state and federal regulators, prosecutors and enforcement agencies. |
 | Michael Yaghi Michael handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation. |
 | Ketan Bhirud As a former government official at the state and federal level, Ketan leverages extensive experience in the public and private sectors to skillfully represent client interests. |
 | Tim Bado Tim is an attorney in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, with a primary focus on financial services litigation. |
 | Chris Carlson Chris represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general. |
 | Natalia Jacobo Natalia is an associate in the firm’s business litigation practice. She recently received her J.D from the University of California, Davis School of Law. |
 | Namrata Kang Namrata is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. Her work includes advising clients in regulatory investigations and compliance matters, in addition to representing clients in civil litigation matters. |
 | Susan Nikdel Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes. Susan also represents banks, fintechs, and financial services companies in connection with regulatory examinations and investigations brought by the CFPB, state attorneys general, and the California Department of Financial Protection and Innovation. |
 | John Sample John represents clients in a wide variety of general and complex litigation matters, shareholder disputes, products liability, and privacy claims. |
 | Whitney Shephard Whitney is an attorney in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation. |
 | Trey Smith Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement practice. His experience includes serving as a summer associate at the firm in 2021. |
 | Daniel Waltz An experienced litigator, Daniel advises and represents regional, national and international companies, financial institutions and insurers in all facets of business, complex commercial and insurance coverage litigation. He is committed to working with his clients to find creative solutions to meet their needs. |
 | Stephanie Kozol Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department. |