How Can Corporations Protect against Cybersecurity Threats in New York?

New York law requires corporations to maintain reasonable safeguards, though the statute does not prescribe a single standard. Courts and regulators evaluate reasonableness based on industry practice, the sensitivity of data held, and the corporation's size and resources. NYDFS rules for financial services companies mandate specific controls: encryption of personal information, multifactor authentication, security event logging, and annual penetration testing. Non-regulated corporations typically look to frameworks such as NIST Cybersecurity Framework or ISO 27001 to demonstrate reasonable care. The absence of a bright-line standard means corporations must document their risk assessment process and the basis for their chosen controls.

When a corporation discovers a breach of personal information, New York law requires notification to affected individuals and, in many cases, to the New York Attorney General without unreasonable delay. Without unreasonable delay has been interpreted by regulators to mean as soon as the breach is confirmed and the corporation has identified affected parties. Notification must include the nature of the breach, the types of information compromised, and steps the corporation is taking to address the incident. Failure to notify can result in civil penalties and regulatory enforcement. In practice, many corporations discover breaches through third-party incident responders or forensic investigators, which can extend the timeline for determining scope and notification obligations.

Effective vendor contracts establish clear security expectations and allocate risk. Contracts should specify that vendors must implement controls consistent with the corporation's own standards, notify the corporation of breaches affecting the corporation's data within a defined timeframe (often 24–72 hours), and permit the corporation to audit or assess the vendor's security posture. Contracts should also address data ownership, return or destruction of data upon termination, and the vendor's obligation to comply with breach notification laws. Many corporations use standardized security addenda or data processing agreements to ensure consistency. Documentation of vendor selection criteria and periodic reassessment of vendor security posture helps demonstrate that the corporation exercised reasonable oversight.

If a corporation operates in healthcare, processes health information, or maintains electronic health records, New York Public Health Law imposes additional cybersecurity obligations. The law requires healthcare organizations to implement safeguards for protected health information and report breaches to affected individuals and regulators. These requirements overlap with federal HIPAA standards but may impose stricter timelines or notification standards under state law. Corporations in healthcare must ensure that their cybersecurity program addresses both state and federal requirements and that incident response procedures account for the specific notification obligations imposed by public health authorities.

The first priority is to contain the breach and preserve evidence. Corporations should isolate affected systems, document the timeline of discovery, and engage forensic experts to determine what data was accessed or exfiltrated. Parallel to technical investigation, the corporation should involve counsel to evaluate notification obligations, regulatory reporting requirements, and potential litigation exposure. Courts in New York County Supreme Court and other venues have addressed disputes over whether a corporation's delay in investigation or notification violated statutory duties, and the strength of a corporation's contemporaneous documentation often determines whether a court finds the corporation acted reasonably. Corporations should maintain a detailed log of all discovery, investigation, and notification steps, including the dates, individuals involved, and the basis for decisions made.

New York law requires notification without unreasonable delay, which regulators typically interpret as within days of confirming the breach. The corporation must notify the New York Attorney General if the breach affects more than a threshold number of residents (generally 500 or more, though some guidance suggests notification for smaller breaches if sensitive information is involved). Notification to individuals must include specific information: the nature of the breach, the types of personal information involved, steps the corporation is taking in response, and contact information for further inquiries. Many corporations also offer credit monitoring or identity theft protection services, though such offerings are not legally mandated but are often expected as a good-faith response. Regulators scrutinize whether corporations have provided timely, accurate, and complete notification.