NYDFS Imposes $4.5 Million Fine on EyeMed Vision Care LLC for Violations of New York’s Cybersecurity Regulation
On October 17, 2022, the New York Department of Financial Services (NYDFS) announced a settlement with EyeMed Vision Care LLC (EyeMed), a NYDFS-licensed insurance producer, for alleged violations of the cybersecurity regulations of the NYDFS (Part 500). Under its consent order and settlement agreement with the NYDFS (the Order), EyeMed has agreed to pay a $4,500,000 fine for its alleged violations of Part 500. EyeMed also has agreed to submit to the NYDFS, by mid-January 2023, a comprehensive cybersecurity risk assessment. This settlement rings another alarm for NYDFS-regulated financial institutions regarding the considerable reputational, economic and legal costs that may be associated with Part 500 non-compliance.
The findings underlying the Order were identified by the NYDFS in the course of an investigation of EyeMed following its disclosure (in compliance with Part 500) that it had experienced a cybersecurity event. The NYDFS’ investigation revealed that a cyber intruder gained access, apparently through a successful phishing scheme, to an EyeMed email account shared by nine employees that was used for enrolling new customers in insurance products. The intrusion reportedly lasted for one week, potentially exposing the sensitive personal health data of hundreds of thousands of consumers—including data concerning minors—to the threat actor. The NYDFS confirmed that the threat actor had the ability to exfiltrate the information in the email’s inbox during the time they were accessing the account.
According to the Order, the NYDFS found that EyeMed failed to comply with its Part 500 obligations by neglecting to implement sufficient safeguards, policies and procedures designed to secure and protect nonpublic personal information (NPI), including policies and procedures addressing user access controls and NPI use and disposal. The Order points to particular actions that contributed to the NYDFS’ view that EyeMed had failed to comply with Part 500 in several respects:
- EyeMed had begun, but not yet completed, rolling out multi-factor authentication for all of its users, leaving its information systems and consumers’ NPI vulnerable to unauthorized persons or threat actors.
- EyeMed failed to conduct a risk assessment that was compliant with Part 500. EyeMed had engaged third-party cybersecurity vendors to conduct periodic audits of its information technology controls, as well as enterprise risk management reviews, but the NYDFS found that those assessments did not meet the standards for risk assessments set forth under Part 500.
- EyeMed failed to adequately limit user access privileges by allowing nine EyeMed employees to share login credentials—containing a weak password—to the compromised email inbox.
- EyeMed did not institute a sufficient data minimization strategy and disposal process for the email inbox, which resulted in old data, including NPI, being accessible to the threat actor.
- Based on the compliance deficiencies identified by the NYDFS, EyeMed submitted inaccurate certifications of its compliance with Part 500 in each of the prior four years. Although these certifications were timely and made in good faith, EyeMed was not in compliance with Part 500 at the time of each filing.
While making these findings, the Order cites EyeMed’s “commendable cooperation throughout [the] investigation” and demonstration of a “commitment to remediation by devoting significant financial and other resources to enhance its cybersecurity program, including through changes to [their] policies, procedures, systems, and governance structures.” The Order also explicitly emphasizes that regulated entities may mitigate the severity of any Part 500 penalty by cooperating with the NYDFS in any investigation, as well as by acting promptly and diligently in remediating any security vulnerabilities.
Financial institutions interested in conducting Part 500-compliant cybersecurity assessments or that have questions regarding their obligations under the rule may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm's Financial Services and Privacy, Cybersecurity and Data Strategy teams would be pleased to assist with any questions about cybersecurity compliance and enforcement more broadly.
*George Eichelberger contributed to this Blog post. Mr. Eichelberger is a graduate of the University of Pennsylvania Law School and is employed at Arnold & Porter's Washington, DC office. He is not admitted to the practice of law.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.