NYDFS settles with EyeMed for $4.5 million


On October 18, 2022, the New York Department of Financial Services announced a regulation with EyeMed, a licensed life, accident and health insurer, regarding a security incident that occurred in 2020. The settlement claimed that EyeMed had committed seven violations of NYDFS cybersecurity regulations, including failure to have a proper annual assessment risks, failure to implement multi-factor authentication (MFA) and failure to implement policies and procedures for the secure disposal of personal information. The settlement requires EyeMed to pay $4.5 million, among other things.


As we had previously written, the threat actor gained access to an EyeMed email account around June 24, 2020 and not only gained access to six years of information, but also began sending 2,000 emails. phishing on July 1, 2020. These emails caught the attention of EyeMed’s IT department and also its customers, who complained. EyeMed blocked the threat actor’s access on July 1. Readers may recall that EyeMed reached a $600,000 settlement with the New York Attorney General regarding this incident, in February 2022. The New York Attorney General had alleged violations of New York’s SHIELD. Law. EyeMed neither admitted nor denied the AG’s findings in the settlement.

According to NYDFS, this compromised email account was shared by nine EyeMed employees and was only protected by a “weak password”. At the time, EyeMed was deploying MFA, but had not yet implemented it on the affected mailbox. EyeMed had engaged third-party vendors to perform the annual risk assessments required by cybersecurity regulations, but NYDFS found that they “do not meet the required standard of risk assessments for covered entities.” NYDFS found that none of the assessments addressed the risks associated with the compromised O365 mailbox. NYDFS also found that EyeMed did not have policies and procedures for the secure disposal of personal information that is no longer required for business purposes. Nevertheless, EyeMed has certified its compliance with the Cybersecurity Regulations every year, from 2018 to 2021.

In the settlement, NYDFS claimed that EyeMed violated seven provisions of the cybersecurity regulations:

1. Failure to maintain a cybersecurity risk assessment;

2. Failure to implement and maintain a cybersecurity risk assessment and address information security, access controls and identity management, customer data privacy and risk assessment;

3. Failure to limit users’ access privileges with respect to personal information;

4. Failure to conduct a sufficient risk assessment to inform cybersecurity program design;

5. Failure to implement MFA;

6. Failure to have policies and procedures for the secure disposal on a periodic basis of personal information; and

7. Incorrect certification of compliance with the Cybersecurity Regulations.

NYDFS praised EyeMed’s “commendable cooperation” and remediation efforts, but settled the case for $4.5 million. Additionally, EyeMed has 180 days to complete a risk assessment; and 60 days to prepare an action plan.

Over-retention/failure to eliminate

The NYDFS Cybersecurity Regulations do not specify any defined period for the retention or destruction of personal information, but it does require covered entities to have policies and procedures in place for the secure disposal, on a periodic basis, of personal information. personal information that is no longer required for business operations or other legitimate business purposes. 23 NYCRR § 500.13. In this case, NYDFS found that “because EyeMed failed to implement a sufficient data minimization strategy and disposal process for the mailbox, the compromised shared mailbox contained old data accessible to the threat actor Proper disposition processes minimize the amount of NPI accessible to an unauthorized third party during a cyber event Rules, ¶ 27.

Our opinion

We had before writing on increasing regulatory fines for excessive data retention. This settlement is of particular interest because it addressed email retention and EyeMed’s failure to implement a disposition program to remove outdated personal data from accounts. In other words, the NYDFS recommended (or required) that companies that share personal data via email (internally or externally) implement a concierge system to purge old personal data programmatically. NYDFS may be the first regulator to make such an explicit recommendation. NYDFS has not recommended a specific concierge period (eg, 180 days or 1 year), but it remains an important NYDFS decision.


About Author

Comments are closed.