On August 14, 2025, the New York Department of Financial Services (“NYDFS”) entered into a consent order with Healthplex, Inc, (“Healthplex”), which is licensed by NYDFS as an independent claims adjuster and as a life and/or accident health insurance agent. In the consent order, Healthplex agreed to pay NYDFS $2 million and to change some of its policies and procedures, especially with respect to data retention and multi-factor authentication (“MFA”).

Notably, NYDFS concluded that Healthplex’s failure to maintain an Outlook 365 (“O365”) retention policy violated the NYDFS Cybersecurity Regulation. Relevant to this finding is that Healthplex experienced a recent cybersecurity incident where over 100,000 emails were accessible to the threat actor from a single employee’s email account. This consent order illustrates the importance of implementing email retention policies, and is part of a long line of recent regulatory enforcement actions from regulators, including NYDFS and the FTC, targeting over-retention of personal information and nonpublic customer information. Even companies that are not regulated by NYDFS should take note of this consent order.

Background

On November 22 or 23 of 2021, a Healthplex customer service employee clicked on a phishing email that invited the employee to enter their business email login credentials to receive a fax message. The employee did so. Because MFA was not enabled for Outlook Web Access, this action allowed the threat actor access to the employee’s Office 365 account (“O365 “), which contained over 100,000 emails , many of which contained consumer information. The employee was employed by Healthplex for approximately twenty years. On November 24, another Healthplex employee received a suspicious email from the account of the employee who clicked on the phishing email, and reported it to security.

Healthplex’s security department conducted a forensic review. It concluded that non-public information (“NPI”) of tens of thousands of New York residents was accessible to the threat actor, including names, addresses, dates of birth, Social Security Numbers, financial information, driver’s license numbers, and personal health information—although the information varied by individual. Healthplex reported the security incident to NYDFS on April 8, 2022, which was well beyond the 72-hour timeline required by the NYDFS Cybersecurity Regulation.

NYDFS began an investigation of the incident. NYDFS concluded that “Healthplex failed to have a data retention policy in place on its O365 environment” and “MFA was not enabled for Healthplex’s Outlook Web Access at the time the original phishing email was received.”

NYDFS found the lack of any data retention policy for the O365 environment was a violation of Section 500.13 of the NYDFS cybersecurity regulation. Section 500.13 requires covered companies to maintain policies and procedures “for the secure disposal on a periodic basis of any nonpublic information” where no longer necessary for the business or not otherwise required to be maintained by law. NYDFS further concluded that the lack of a data retention policy led to over 100,000 emails being accessible to the threat actor.

The MFA matter is a bit more complicated. Healthplex had MFA in place on its previous email environment. When it migrated to O365 earlier in 2021, Healthplex did not check that the MFA function was completely operational for those accessing O365 from an external web browser. NYDFS concluded that “the threat actor was able to access the Account Associate’s email box through a web browser without having to bypass any MFA controls.” NYDFS found the lack of MFA was in violation of 23 NYCRR § 500.12(b).

It should be noted that Healthplex had filed its annual certification of compliance with the NYDFS Cybersecurity Regulation for multiple years (2018, 2019, 2020, and 2021) preceding the cybersecurity incident.

The Consent Order

NYDFS found that Healthplex violated the cybersecurity regulations by (1) failing to have policies and procedures for the secure disposal of NPI in accordance with the Cybersecurity Regulation; (2) failing to implement MFA in order to access NPI from an external network; (3) failing to report the security incident within 72 hours of the determination that the incident occurred; and (4) certifying compliance when Healthplex was not in compliance.

Healthplex agreed to pay $2 million and to have an MFA audit conducted by a third party. In addition, Healthplex must “continue to strengthen its controls to protect its Information Systems and the NPI it maintains in accordance with the requirements of the Cybersecurity Regulation.”

Our Take

As we continue to see over-retention of data generate regulatory fines, this consent order is interesting in its focus on email and in finding that the lack of an email-specific data retention policy is a violation of the Cybersecurity Regulation. Although the order does not suggest a specific retention period that may be appropriate for email, NYDFS has previously suggested that retention of email for more than six years may be considered excessive.

This result should not be unexpected. NYDFS, as well as other regulators, have focused on data disposition as a key way to eliminate cyber risk, especially for older data that does not have business value. Moreover, we have seen companies struggle with email and with implementing janitors to delete old email and to stop employees (and clients and other third parties) from sending NPI with email. The combination creates serious cyber risk, but the inverse is equally true, limiting the amount of NPI in email and programmatically deleting old email, can significantly reduce cyber risk. Indefinite retention of email is problematic on a number of levels and it is a solvable problem.

The questions companies should consider include: Does your company have an email retention policy in place? Does your policy or practice essentially permit indefinite retention of email? What retention period is appropriate for your business? Answering these questions will likely require collaboration between external counsel, IT, records management, and internal legal departments to develop or evaluate data retention policies applicable to email.