As the rate of international cyberattacks increases, it is essential that corporations that collect and store their customers’ personal data keep it safe from breaches. But even large corporations can be slow to act in order to implement effective data protection. Recent enforcement actions reveal that New York is among the states leading the way in investigating and fining corporations for both actual and potential data breach situations. Within the past month alone, Attorney General Letitia James (“NYAG”) secured monetary settlements and consent agreements from two large corporations who failed to maintain adequate administrative, technical and physical safeguards as required by New York law.
In the first, the NYAG joined 45 other states in recovering $1.25 million from Carnival Cruise Line. After Carnival first reported a 2019 data breach in 2020 -- ten months after becoming aware of suspicious activity on its servers -- the states launched an investigation as a possible violation of their data breach notification laws. It revealed that Carnival’s storage of personal information was unstructured and disorganized, and included personal information stored via email and exposed to potential intruders. As a result, in addition to imposing the fine, the states required Carnival to implement a breach response and notification plan, institute email security training for employees, add multi-factor authentication for remote email access, use strong passwords with rotation and secure storage, and implement enhanced logging of network activities and independent security assessments.
The NYAG also recently secured a $400,000 settlement from Wegmans Supermarkets for exposing the personal information of more than three million consumers, including 830,000 New Yorkers. Wegmans had stored its customers’ names, email addresses and driver’s license numbers in a manner that left the information unsecured and exposed to potential hackers. The state’s investigation also revealed that Wegmans had left over three million records of customer email addresses and passwords in an unsecured Microsoft Azure container for over 39 months.
Significantly in the Wegmans case, the NYAG found violations of New York State laws even though there was no evidence that a data breach had occurred. Rather, the NYAG took a page out of the FTC’s playbook and found Wegmans to be in violation of New York Executive Law 63(12) for repeated fraudulent activities. Wegmans had assured customers in its privacy policy that “securing your information is our top priority” and that it had technical safeguards in place to do so. The NYAG also found that Wegmans violated GBL § 899-bb, also known as the New York SHIELD Act. That law, made effective in 2020, requires New York businesses to maintain reasonable cybersecurity protections commensurate with their size and the sensitivity of data they collect. The NYAG identified in detail each of the deficiencies that led to its charge, including Wegmans’ lack of proper access controls, password management, security assessments, logging and monitoring and data collection and retention. As with Carnival, Wegmans was required to upgrade its data security measures and revamp its collection and storage policies.
New York’s recent enforcement efforts in targeting deficient data collection practices shows that it has moved to the forefront among states in protecting its residents’ personal information. Businesses that collect data from New York residents would do well to take note, and to ensure that their security measures meet the state’s standards.