X

Insurance Provider Settles NYDFS Charges for Cybersecurity Violations

Michael A. Kleinman Commentary by Michael A. Kleinman

An insurance plan provider settled charges with the New York Department of Financial Services ("NYDFS") for violations of New York's Cybersecurity Regulation that resulted in a data leak that exposed hundreds of thousands of consumers' sensitive, non-public personal health data, including data concerning minors.

In its Consent Order, NYDFS stated that the company failed to meet many requirements of the regulation, including implementing multi-factor authentication ("MFA") to access its email environment. NYDFS found that the company did not begin integrating MFA into its email systems until March 2020, and that all users were not fully enrolled until September 2020 despite MFA being a required implementation under the regulation since 2018.

NYDFS said that a threat actor gained unauthorized access to a shared company email account containing more than six years of non-public consumer information before enrollment was completed. Although the company took immediate action to block access to the threat actor and notify consumers once the incident was discovered, NYDFS found that several instances of non-compliance with the regulation resulted in the breach.

In addition, NYDFS found that the company had not conducted a required assessment to understand the risks associated with the precise issue here - storing non-public, consumer information in a shared mailbox. The company also failed to appropriately limit user access privileges to email or implement policies and procedures to dispose of consumer information that was no longer necessary for business operations or other legitimate business purposes. During this time, the company certified its compliance with the regulation on an annual basis.

To settle the charges, the company agreed to pay a $4,500,000 civil monetary penalty and undergo remediation efforts to improve its cybersecurity program, including conducting a comprehensive risk assessment and submitting the results, along with a detailed action plan, to NYDFS for its review and approval.

Commentary

Michael A. Kleinman
Michael A. Kleinman

On its surface, the settlement serves as yet another reminder that the implementation of multi-factor authentication is not just a sensible risk management practice, it is a baseline legal requirement. But digging deeper, taken together with the SEC's recent $35 million fine issued to an investment adviser for failure to properly dispose of customer records, the settlement highlights the importance of implementing data retention and destruction policies and verifying compliance with such policies.

Email me about this

Primary Sources

  1. NYDFS Consent Order: EyeMed Vision Care LLC
  2. NYDFS Press Release: DFS Superintendent Harris Announces 4.5 Million Cybersecurity Settlement with EyeMed Vision Care LLC

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity
Sub-Activity
Cybersecurity, Data Breach
Regulated Entities
Other Financial Firms
Sub-Entity
Insurance Companies
Jurisdiction
US - Federal
Organization
States
Sub-Author
NYDFS