As New York’s attorney general, my main concern was defending consumers against fraud, scams, and corporate wrongdoings. Nowadays, the most crucial tools for scammers are online.

Cyberattacks are aggressively targeting consumers and businesses. For example, one in four businesses experiences wire fraud. New York is particularly vulnerable to cyberattacks and digital spying, suffering more breaches than most states.

Just look at the first three months of 2025:

In January, a data breach at the New York Blood Center exposed the sensitive data of nearly 200,000 people.

In February, hackers breached the Business Council of New York State’s systems, stealing names, Social Security numbers, bank details, and medical information of 47,000 individuals. This intrusion remained unnoticed for 160 days.

In March, Attorney General Letitia James initiated a lawsuit against Allstate and National General insurance companies due to their security failings that allowed hackers to access the driver’s license numbers of over 165,000 New Yorkers.

New York is an appealing target for hackers. It is a key global finance hub, home to the New York Stock Exchange and countless major banks. The state also hosts prestigious universities like NYU and Columbia, renowned hospitals such as Mount Sinai and Bellevue, and many of the nation’s leading media companies including Fox, Paramount, Hearst, and Warner Bros. Discovery in New York City.

These entities share a common trait: they manage vast amounts of data, making New York a prime spot for attacks from both domestic and international cybercriminals.

New York has already taken important steps to combat cyber crime. Then-Gov. Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in 2019, requiring that cyber incidents be reported within hours and that businesses in possession of private information must adopt certain safeguards.

This summer, Gov. Hochul signed a new cybersecurity bill, extending reporting requirements to municipalities, mandating additional cybersecurity training for government employees, and imposing new data protection regulations on information systems maintained by the state.

These measures are necessary but insufficient. Good security procedures help, but they don’t address deeper risks inherent in who builds and controls the IT infrastructure. All the training in the world won’t protect your data if there’s a backdoor built into the servers.

One way Albany can address this threat is by increasing oversight of the cloud and data platforms operating in New York, requiring audit rights and local data sovereignty protections.

New York legislators could also pass state-level trusted vendor mandates to ensure that routers, switches, and other network gear come from U.S. or allied-country firms that meet strict security standards.

They might also consider creating a Digital Resilience Authority to coordinate public-private threat sharing, response planning, and emergency resources. This body could oversee a cybersecurity investment fund or grant-matching program to help municipalities, hospitals, schools, and small businesses upgrade their digital defenses.

Sensible pro-competitive policies on the federal level are also needed. For example, the Justice Department recently approved Hewlett Packard Enterprise’s acquisition of Juniper on national security grounds. The U.S. intelligence community urged the DOJ to approve the deal because they said it was key to giving American companies needed leverage to compete with the Chinese government-owned firms that continue leading the globe’s 5G and AI pushes. These firms are legally required to hand over any data the country’s Communist government demands and remain widescale cybersecurity threats.

None of these are partisan ideas. They’re common-sense protections for New Yorkers.

When I served as New York’s attorney general, the internet was in its infancy and dial-up access was the gateway. We formed the first internet bureau in the nation to fight online child pornography. From the very beginning, though, criminals have sought to use this technology for evil, and I’m proud of the work I did fighting back against internet-based child pornography.

Today, the computers are smaller and faster, but human nature hasn’t changed. We must remain vigilant and treat foreign cyber adversaries the same way we treat all fraudsters, scammers, and other bad actors — stop them before they inflict harm.

New York has an opportunity to lead the nation in adopting merger, procurement, and oversight policies that secure our data and protect its citizens and businesses. And in a state that’s home to so many tempting targets, it’s an opportunity we can’t afford to miss.

Vacco served as New York State’s 62nd attorney general.