A year in review: Privacy, data security enforcement by New York's attorney general

State attorneys general are rapidly ramping up privacy and cybersecurity enforcement, launching aggressive investigations and imposing multimillion-dollar fines. Among those leading the charge is the New York attorney general.

In 2024, the Office of the New York State Attorney General marked a milestone in its privacy and cybersecurity enforcement. Leveraging the expertise of its Bureau of Information and Technology, the New York attorney general resolved allegations of privacy and cybersecurity breaches by settling with 12 companies — having initiated litigation against two of these companies — and imposing financial penalties exceeding USD14 million. This robust enforcement — mirroring the high pace of 2023 and far surpassing previous years — signals a sustained commitment to upholding rigorous data protection standards.

The attorney general's approach to privacy, cyber enforcement

The New York attorney general's office is empowered by broad statutes and the ability to impose significant fines and seek extensive injunctive relief for what it views as deceptive privacy and cybersecurity practices. The attorney general is the chief law enforcement officer of the state by statute and as an elected official, the current attorney general's policy objectives may shift the office's enforcement priorities — an important consideration for companies when responding to attorney general inquiries and investigations.

The office can often appear to be more aggressive than other agencies, pursuing violations even among emerging companies, though it may consider suspended penalties in cases of financial hardship. Companies should also expect to encounter aggressively worded consent decrees — referred to as "assurances of discontinuance" — that contain detailed recitation of the attorney general's factual allegations.