NYDFS has taken another cybersecurity enforcement action, this time against vision insurance company EyeMed. NYDFS leveled a $4.5 million penalty against the company. From its findings: “The Department’s investigation revealed that as a result of a July 1, 2020 phishing attack, a bad actor gained access to a shared EyeMed email mailbox which contained over six years’ worth of consumer non-public information[], including that of minors.”
Following the announcement, NYDFS Executive Deputy Superintendent for Cybersecurity offered the following commentary on the settlement: “Last week DFS announced a settlement with health insurer EyeMed for violating DFS’s cyber regulation. The consent order describes the cybersecurity hygiene and governance breakdowns that led to the exposure of sensitive consumer data. These breakdowns included the lack of an adequate risk assessment. The risk assessment is the foundation of the risk-based cybersecurity program required by DFS’s cyber regulation. You can’t effectively mitigate cyber risk without a clear picture of what’s driving that risk. EyeMed also failed to implement multi-factor authentication (MFA). Lack of MFA remains the most common control failure behind the cyber incidents reported to DFS, and it is the most common control failure charged in DFS cyber enforcement actions. Effective access controls like MFA are critical to reducing cyber risk.”
The New York Attorney General also settled with EyeMed, in January 2022, over substantially the same conduct. This was the first cybersecurity enforcement action by the NYAG under New York’s new “SHIELD ACT.”
The NYDFS consent order is here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202210181
The commentary by Exec. Dep. Herring is here: https://www.linkedin.com/in/justin-herring-635b9194/recent-activity/
The NYAG settlement is here: https://ag.ny.gov/press-release/2022/attorney-general-james-announces-600000-agreement-eyemed-after-2020-data-breach