by Avi Gesser, Erez Liebermann, Stephanie D. Thomas, and Basil Fawaz
Avi Gesser, Erez Liebermann, Stephanie D. Thomas, and Basil Fawaz. (Photos courtesy of Debevoise & Plimpton LLP)
On April 19, 2023, the New York Attorney General (the “NYAG”) published new guidance (the “Guide”) recommending security measures for companies entrusted with consumers’ personal information. The Guide supplements the reasonable safeguards already outlined in the New York Shield Act, which, in part, requires covered entities to maintain reasonable security measures when handling personal information related to New York residents. The Guide reinforces practices that regulators have focused on, such as authentication, encryption, third-party risk management, and data governance. While the Guide’s recommendations are only advisory, it details the NYAG’s Shield Act enforcement actions on the issues, and the Guide is meant to put companies “on notice that they must take their data security obligations seriously.” Following its issuance, the NYAG announced additional Shield Act enforcement actions, including with Practicefirst Medical Management Solutions, that highlighted many of the security concerns highlighted in the Guide.
Continue reading →