Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
State attorneys general are rapidly ramping up privacy and cybersecurity enforcement, launching aggressive investigations and imposing multimillion-dollar fines. Among those leading the charge is the New York attorney general.
In 2024, the Office of the New York State Attorney General marked a milestone in its privacy and cybersecurity enforcement. Leveraging the expertise of its Bureau of Information and Technology, the New York attorney general resolved allegations of privacy and cybersecurity breaches by settling with 12 companies — having initiated litigation against two of these companies — and imposing financial penalties exceeding USD14 million. This robust enforcement — mirroring the high pace of 2023 and far surpassing previous years — signals a sustained commitment to upholding rigorous data protection standards.
The attorney general's approach to privacy, cyber enforcement
The New York attorney general's office is empowered by broad statutes and the ability to impose significant fines and seek extensive injunctive relief for what it views as deceptive privacy and cybersecurity practices. The attorney general is the chief law enforcement officer of the state by statute and as an elected official, the current attorney general's policy objectives may shift the office's enforcement priorities — an important consideration for companies when responding to attorney general inquiries and investigations.
The office can often appear to be more aggressive than other agencies, pursuing violations even among emerging companies, though it may consider suspended penalties in cases of financial hardship. Companies should also expect to encounter aggressively worded consent decrees — referred to as "assurances of discontinuance" — that contain detailed recitation of the attorney general's factual allegations.
Finally, much like the U.S. Federal Trade Commission, the New York attorney general's office monitors social media and news coverage to identify potential enforcement triggers, meaning that when making business decisions, companies should consider not only the volume of potential consumer complaints but also their intensity, as even a single complaint could prompt an investigation.
Enforcement in 2024
The New York attorney general's privacy and cybersecurity enforcement actions generally fall into two categories. First, it has enforced against companies that experienced data breaches and are accused of misleading consumers about their data security practices or failing to comply with New York's information security laws. Second, it has focused on companies' alleged misrepresentations about how they collect, use or share personal information.
Injunctive relief. In reaching resolutions, the attorney general often emphasizes the importance of extensive injunctive relief, requiring companies to remediate the alleged privacy and cybersecurity violations and to put in place systems and processes to maintain compliance.
There are several common types of injunctive relief the office secured in 2024. For example, it required companies to implement specific steps to improve their cybersecurity posture, such as making significant financial investments in an information security program, establishing an information governance committee, implementing a comprehensive incident response plan, appointing a chief information security officer and performing periodic information security assessments.
The attorney general has also emphasized vendor management, requiring companies to conduct enhanced due diligence before selecting vendors and to monitor vendor practices throughout the business relationship.
Furthermore, the attorney general may require companies to comply with specific laws, regulations and guidance depending on the alleged violation. For example, it may mandate adherence to the FTC Endorsement Guidelines to address claims of false advertising. Additionally, it has imposed consumer protections beyond legal requirements, such as requiring companies to grant consumers the right to delete their personal information stored on company systems that were breached.
The office also prioritizes prohibiting companies from using dark patterns — deceptive design practices that hinder users from exercising their privacy choices or subtly manipulate them into decisions that benefit the company. This includes tactics that nudge individuals into providing personal data that is unnecessary for the product or service being offered.
Finally, the attorney general regularly requires companies to document reports, procedures and processes to demonstrate ongoing compliance with the assurance of discontinuance. Mandatory compliance reporting to the attorney general can extend for a number of years, depending on the nature of the alleged privacy and cybersecurity violations, and is ultimately at the attorney general's discretion.
Financial penalties. Unlike the FTC's limited power under Section 5 of the FTC Act, state attorneys general, including New York's, have broad power to seek financial penalties for alleged privacy and cybersecurity violations. Last year alone, the New York attorney general's office secured significant penalties in connection with allegations related to data breaches.
The most cited violation, resulting in a penalty of more than USD8.9 million, was for allegations of inadequate monitoring of networks, systems and assets. In imposing the fine, the attorney general highlighted numerous allegations of inadequacies, including failures to monitor site traffic in real time, to monitor activity on all Application Programming Interface endpoints, to record and review user activity on networks, and to monitor and analyze server traffic.
The attorney general also imposed significant penalties, over USD8.2M, for alleged lack of response to multiple third-party security alerts. In many of these instances, companies were alerted to gaps in their cybersecurity controls by vendors or were warned of specific cyberattack campaigns by industry groups or government organizations.
These enforcement actions highlight the New York attorney general issues more severe penalties when it believes the cybersecurity incidents would have been less severe or were preventable if the company heeded alerts or maintained threshold levels of system monitoring.
The attorney general also penalized companies for failing to adhere to accepted cybersecurity best practices. These penalties include USD3.9 million for not using encryption and multifactor authentication to protect sensitive information, USD2 million for unauthorized access that went undetected for an extended period, and USD5.6 million related to a breach caused by a faulty online data collection form, which the office argued was unnecessary for the company's business.
The severity of financial penalties increased based on the type of data exposed. For example, the office imposed USD5.6 million in penalties for the unauthorized disclosure of driver's license information, which was subsequently used to file fraudulent unemployment claims, and USD1.4 million for failing to protect patients' personal and medical information.
The attorney general also imposed penalties for deceptive practices, including allegations of unauthorized sale of personal data, misleading advertising, and the use of dark patterns. Digital marketing platforms, in particular, may be subjected to increased scrutiny due to the design of their user interfaces and the manner in which they promote their services.
In total, the attorney general imposed penalties exceeding USD1.5 million for deceptive advertising related to misrepresentation of services or paid endorsements, and more than USD750,000 for unauthorized sale or distribution of data.
Insights for mitigating risk of scrutiny
The attorney general's enforcement actions can be distilled into helpful guidance on the types of privacy and cybersecurity measures companies should consider implementing — or avoiding — to mitigate the risk of the office launching an investigation.
Key cybersecurity controls include decommissioning inactive user accounts, restricting access to data and resources based on user roles, and implementing multifactor authentication. Companies are encouraged to adopt a proactive and comprehensive approach to cybersecurity, which involves encrypting personal data and maintaining robust encryption policies that encompass all systems, not just employee laptops.
Once policies and procedures are established, continuous monitoring is also essential to detect and report suspicious activity in real time, utilizing automated monitoring and adequate logging. Finally, in the event of a suspected incident, it is crucial for companies to promptly respond to alerts of cybersecurity risks and security gaps, including those from independent assessments or industry organizations. If a data breach occurs, companies must notify affected individuals in a timely manner and in accordance with applicable state laws.
The actions of the Office of the New York Attorney General also highlight the importance of adhering to common-sense privacy practices. Companies should focus on transparency and fairness when processing the personal information of populations that the attorney general considers "vulnerable," such as minors or individuals seeking health care services. Companies should also remain vigilant to avoid engaging in practices perceived by the office as addictive or involving dark patterns.
By following these guidelines, companies can better align with the expectations of the attorney general and mitigate potential legal risks.
Focus for 2025: Minors' use of social media
In 2024, Gov. Kathy Hochul, D-N.Y., signed both the New York Child Data Protection Act and the Stop Addictive Feeds Exploitation (SAFE) for Kids Act. Both laws give the attorney general enforcement authority.
In particular, the SAFE for Kids Act regulates "addictive social media platforms," which are the focus of state regulators across the country. The act places various prohibitions on social media platforms, such as prohibiting them from providing "addictive feeds" without determining that the recipient user is not a minor, or from sending notifications to minors at night.
Although similar laws have been challenged in other states by NetChoice — a trade association that represents online businesses — as unconstitutionally vague, overbroad and contrary to the First Amendment, companies should be prepared that some of the requirements will survive these challenges and that states, including the New York attorney general, will launch enforcement actions as early as this year.
Carrie Cohen and Boris Segalis, CIPP/US, are partners and Katherine Wang, CIPP/US, CIPM, is an associate at Morrison Foerster. Associate Darcy Black also contributed to this article.
