As New York’s attorney general, my top priority was protecting consumers from fraud, scams, and corporate misconduct. Today, the fraudsters’ most important tools can be found online.
Cyberattacks target consumers and businesses with impunity. For instance, one in four businesses are victimized by wire fraud. New York is one of the biggest targets for cyberattacks and digital espionage, with more breaches than almost any other state.
Just look at the first three months of 2025:
In January, a data breach at the New York Blood Center exposed the sensitive data of nearly 200,000 people.
In February, hackers gained entry to the internal systems of the Business Council of New York State, stealing the names, Social Security numbers, bank account information, and medical data of 47,000 people. The fraudsters’ access to this data was undetected for 160 days.
In March, Attorney General Letitia James filed a lawsuit against insurance companies Allstate and National General after their cybersecurity lapses allowed cybercriminals to obtain the driver’s license numbers of more than 165,000 New Yorkers.
The Empire State a prime target for hackers. We’re the premier financial center, home of the New York Stock Exchange and multiple global banks. We have leading universities like NYU and Columbia and world-class hospitals like Mount Sinai and Bellevue. Many of our nation’s largest media companies — including Fox, Paramount, Hearst, and Warner Bros. Discovery — call New York City home.
These organizations have one thing in common: they handle enormous amounts of data, making the state a magnet for bad actors — both foreign and domestic.
New York has already taken important steps to combat cyber crime. Then-Gov. Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in 2019, requiring that cyber incidents be reported within hours and that businesses in possession of private information must adopt certain safeguards.
This summer, Gov. Hochul signed a new cybersecurity bill, extending reporting requirements to municipalities, mandating additional cybersecurity training for government employees, and imposing new data protection regulations on information systems maintained by the state.
These measures are necessary but insufficient. Good security procedures help, but they don’t address deeper risks inherent in who builds and controls the IT infrastructure. All the training in the world won’t protect your data if there’s a backdoor built into the servers.
One way Albany can address this threat is by increasing oversight of the cloud and data platforms operating in New York, requiring audit rights and local data sovereignty protections.
New York legislators could also pass state-level trusted vendor mandates to ensure that routers, switches, and other network gear come from U.S. or allied-country firms that meet strict security standards.
They might also consider creating a Digital Resilience Authority to coordinate public-private threat sharing, response planning, and emergency resources. This body could oversee a cybersecurity investment fund or grant-matching program to help municipalities, hospitals, schools, and small businesses upgrade their digital defenses.
Sensible pro-competitive policies on the federal level are also needed. For example, the Justice Department recently approved Hewlett Packard Enterprise’s acquisition of Juniper on national security grounds. The U.S. intelligence community urged the DOJ to approve the deal because they said it was key to giving American companies needed leverage to compete with the Chinese government-owned firms that continue leading the globe’s 5G and AI pushes. These firms are legally required to hand over any data the country’s Communist government demands and remain widescale cybersecurity threats.
None of these are partisan ideas. They’re common-sense protections for New Yorkers.
When I served as New York’s attorney general, the internet was in its infancy and dial-up access was the gateway. We formed the first internet bureau in the nation to fight online child pornography. From the very beginning, though, criminals have sought to use this technology for evil, and I’m proud of the work I did fighting back against internet-based child pornography.
Today, the computers are smaller and faster, but human nature hasn’t changed. We must remain vigilant and treat foreign cyber adversaries the same way we treat all fraudsters, scammers, and other bad actors — stop them before they inflict harm.
New York has an opportunity to lead the nation in adopting merger, procurement, and oversight policies that secure our data and protect its citizens and businesses. And in a state that’s home to so many tempting targets, it’s an opportunity we can’t afford to miss.
Vacco served as New York State’s 62nd attorney general.
