Earlier this month, the New York Attorney General’s Office issued findings of its investigation into a knowledge safety incident involving EyeMed Vision Care LLC (“EyeMed”) in addition to the settlement that it entered into with the corporate in change for not pursuing additional statutory costs.[1] The settlement included a high-quality of $600,000, a marked improve from the $200,000 settlement reached with an internet retailer in response to one other breach earlier this 12 months.
The findings and settlement are instructive for corporations looking for to perceive how the New York Attorney General’s Office interprets present necessities for companies in response to breaches of company cybersecurity, notably in mild of New York’s information privateness rules below the SHIELD Act, and the growing degree of monetary penalties levied towards corporations which might be revealed to have insufficient safety infrastructure in investigations after a breach.
Background: New York’s SHIELD Act Provides Heightened Data Security Requirements
In March 2020, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, New York’s legislative response to the numerous improve in information safety incidents, went into impact. The SHIELD Act, by means of revising General Business Law § 899-aa and including § 899-bb, heightened necessities for corporations in response to information safety incidents and expanded definitions contained within the earlier information safety legal guidelines.
Of specific significance, the SHIELD Act expanded the kind of private data that triggers breach notification necessities when uncovered, widening it to particularly embrace account numbers, biometric data, credit score or debit card numbers, entry codes, usernames, e-mail addresses, passwords, and safety questions and solutions. The SHIELD Act additionally tailored the definition of breach to embrace not solely the acquisition of information and private data, but additionally the extra elementary act of having information accessed, even absent proof that any information was truly obtained by the risk actors. More typically, the SHIELD Act established necessities for companies to preserve affordable information privateness safeguards to shield towards the unauthorized entry or acquisition of private data, together with by integrating information safety packages into their current infrastructure, and requiring them to designate a company lead to oversee cybersecurity practices. Beyond broadening the particular phrases, it additionally expanded its attain past corporations who function in New York to cowl corporations that personal or license the knowledge of any resident of the state regardless of the place they function.
The information safety compliance requirements expanded by the SHIELD Act have spurred corporations to transform their information privateness infrastructure and set up heightened safety protocols to adequately safeguard private data. The EyeMed Assurance of Discontinuance reinforces the requirements of the SHIELD Act and offers perception into the extra remedial measures that corporations could also be anticipated to take within the wake of a safety incident.
Investigation and Findings of EyeMed’s Data Security Incident
According to the New York Attorney General’s findings, in late June of 2020 a risk actor accessed a single e-mail account at EyeMed which had been utilized by some company purchasers to enter the non-public data of people for medical insurance coverage functions.[2] Over the course of the next week, the risk actor had entry to data spanning the earlier six years in EyeMed’s e-mail server.[3]
At the conclusion of the preliminary week of intrusion, the risk actor additionally used the e-mail account to ship roughly 2,000 phishing emails, which flagged EyeMed’s inside IT division and brought about entry to the e-mail account to be blocked.[4]
Subsequent investigation concluded that private data of greater than 2 million people and nearly 100,000 residents of New York had been accessed, together with contact data, medical account data, Social Security Numbers, in addition to different classes of personal, personally figuring out data.[5]
Following the conclusion of the investigation, EyeMed adopted relevant state information breach notification necessities and started notifying people relating to the breach, providing complimentary credit score monitoring and fraud session and id theft monitoring providers.[6]
Upon investigation, the New York Attorney General’s Office concluded that EyeMed’s cybersecurity protocols didn’t meet sure necessities of §§ 899-aa and 899-bb.[7] In specific, the Attorney General recognized 4 areas of deficiency: authentication, password administration, logging and monitoring, and information retention within the affected e-mail account.[8] For instance, the New York Attorney General’s Office discovered that EyeMed’s failure to combine multifactor authentication and require enough password complexity, particularly contemplating the existence of internet entry and private data of people, fell brief of relevant information privateness requirements. The investigation additionally concluded that when an assault had taken place, EyeMed lacked the requisite logging and monitoring programs for e-mail accounts that may have enabled it to conclude with extra certainty what exact information for particular people was accessed. The New York Attorney General’s Office additionally discovered EyeMed’s six 12 months information retention interval to be unreasonable within the context of the quantity of private data that it maintained. Ultimately, the investigation discovered that EyeMed had misrepresented the extent of its cybersecurity safeguards and failed to adequately meet the requirements set out by New York State information privateness legal guidelines.[9]
In lieu of pursuing EyeMed for statutory violations, EyeMed and the New York Attorney General’s Office agreed to varied modifications in EyeMed’s cybersecurity practices and procedures, in addition to a high-quality of $600,000.[10] With the settlement, the New York Attorney General’s Office strengthened the requirement of a written data safety program and the corresponding mandates to inside cybersecurity infrastructure, such because the appointment of an worker accountable for sustaining it.[11] The settlement additionally included necessities to extra adequately preserve password complexity and multifactor authentication, in addition to superior data encryption, penetration testing, logging and monitoring, information deletion, and extension of the credit score monitoring and id theft restoration providers offered to people affected by the incident.[12]
Takeaways
As information breaches and different cyber-attacks grow to be ever extra prevalent, it’s essential that corporations have efficient, up-to-date safeguards in place. The outcomes of the EyeMed investigation display that companies working in New York should be sure that their cybersecurity insurance policies and procedures are absolutely compliant with the New York SHIELD Act and different relevant legal guidelines and rules. It is extra necessary than ever for corporations to prioritize creating and updating written information safety protocols and knowledge safety packages, to revise information retention insurance policies to restrict the quantity of people probably affected by any breach, and to proactively form their cybersecurity infrastructure to present the absolute best monitoring and response to any potential information safety incident.
[1] See Assurance of Discontinuance, In the Matter of Investigation by Letitia James, Attorney General of the State of New York, of Eyemed Vision Care, LLC, Assurance No. 21-071 (Jan. 18, 2022), which has been posted to the New York Attorney General’s Office right here: https://ag.ny.gov/sites/default/files/eyemed_aod_-_final_-_fully_signed.pdf
[2] Id. ¶ 1.
[3] Id. ¶ 2.
[4] Id. ¶ 5.
[5] Id. ¶ 2.
[6] Id. ¶ 7.
[7] Id. ¶ 8.
[8] Id.
[9] Id.
[10] Id. ¶¶ 21-28.
[11] Id. ¶ 16.
[12] Id. ¶¶ 21-27.
https://www.jdsupra.com/legalnews/new-york-attorney-general-s-office-s-2172606/
:max_bytes(150000):strip_icc()/registration-3938434_1280-e2aa7e5d57264ae19b69027f14c85c2f.jpg)
