On October 18, 2022, the New York Department of Financial Services announced a settlement with EyeMed, a licensed life, accident, and health insurer, with respect to a security incident that occurred in 2020. The settlement claimed that EyeMed had committed seven violations of the NYDFS Cybersecurity Regulation, including failure to have an appropriate annual risk assessment, failure to implement multifactor authentication (MFA), and failure to implement policies and procedures for secure disposal of personal information. The settlement requires EyeMed to pay $4.5 million, among other things.
As we had previously written, the threat actor obtained access to an EyeMed email account on approximately June 24, 2020 and not only obtained access to six years’ worth of information, but also began sending 2,000 phishing emails on July 1, 2020. Those emails came to the attention of EyeMed’s IT department and also its customers, who complained. EyeMed blocked the threat actor’s access on July 1. Readers may recall that EyeMed entered into a $600,000 settlement with the New York Attorney General with respect to this incident, in February of 2022. The New York Attorney General had alleged violations of the New York SHIELD Act. EyeMed neither admitted nor denied the AG’s findings in the settlement.
According to NYDFS, that compromised email account was shared by nine EyeMed employees and was protected only by a “weak password.” At the time, EyeMed was rolling out MFA, but had not yet implemented it on the affected email box. EyeMed had engaged third-party vendors to conduct the annual risk assessments required by the Cybersecurity Regulation, but NYDFS found that they “do not meet the standard required of Risk Assessments for Covered Entities.” NYDFS found that none of the assessments addressed the risks associated with the compromised O365 mailbox. NYDFS also found that EyeMed did not have policies and procedures for the secure disposal of personal information no longer needed for business purposes. Nevertheless, EyeMed certified its compliance with the Cybersecurity Regulation annually, from 2018-2021.
In the settlement, NYDFS claimed that EyeMed violated seven provisions of the Cybersecurity Regulation:
1. Failure to maintain a cybersecurity risk assessment;
2. Failure to implement and maintain a cybersecurity risk assessment and address information security, access controls and identity management, customer data privacy and risk assessment;
3. Failure to limit user access privileges with respect to personal information;
4. Failure to conduct a risk assessment sufficient to inform the design of the cybersecurity program;
5. Failure to implement MFA;
6. Failure to have policies and procedures for the secure disposal on a periodic basis of personal information; and
7. Improper certification of compliance with the Cybersecurity Regulation.
NYDFS lauded EyeMed’s “commendable cooperation” and its remediation efforts, but settled the matter for $4.5 million. In addition, EyeMed has 180 days to conduct a risk assessment; and 60 days to prepare an action plan.
Over-Retention/Failure to Dispose
The NYDFS Cybersecurity Regulation does not specify any set period for retention or destruction of personal information, but it does require covered entities to have policies and procedures in place for the secure disposal, on a periodic basis, of personal information that is no longer necessary for business operations or other legitimate business purposes. 23 NYCRR § 500.13. In this matter, NYDFS found that “because EyeMed failed to implement a sufficient data minimization strategy and disposal process for the Mailbox, the compromised shared Mailbox contained old data that was accessible to the threat actor. Proper disposal processes minimize the amount of NPI accessible to an unauthorized third party during a Cyber Event.” Settlement, ¶ 27.
We had previously written about the increasing regulatory fines for over-retention of data. This settlement is particularly interesting as it focused on the retention of email and the failure of EyeMed to have a disposition program in place to remove obsolete personal data from the accounts. Put another way, the NYDFS was recommending (or requiring) that companies who share personal data through email (either internally or externally) have a janitor system in place to purge old personal data programmatically. NYDFS may be the first regulator to make such an explicit recommendation. NYDFS did not recommend a specific janitor period (e.g., 180 days or 1 year), but this is still a significant move by NYDFS.