Earlier this month, the New York Attorney General’s Office issued findings of its investigation into a knowledge safety incident involving EyeMed Vision Care LLC (“EyeMed”) in addition to the settlement that it entered into with the corporate in alternate for not pursuing additional statutory costs.1 The settlement included a high quality of $600,000, a marked enhance from the $200,000 settlement reached with a web based retailer in response to a different breach earlier this yr.
The findings and settlement are instructive for corporations in search of to grasp how the New York Attorney General’s Office interprets present necessities for companies in response to breaches of company cybersecurity, notably in gentle of New York’s knowledge privateness laws underneath the SHIELD Act, and the growing stage of monetary penalties levied towards corporations which can be revealed to have insufficient safety infrastructure in investigations after a breach.
Background: New York’s SHIELD Act Provides Heightened Data Security Requirements
In March 2020, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, New York’s legislative response to the numerous enhance in knowledge safety incidents, went into impact. The SHIELD Act, by revising General Business Law § 899-aa and including § 899-bb, heightened necessities for corporations in response to knowledge safety incidents and expanded definitions contained within the earlier knowledge safety legal guidelines.
Of explicit significance, the SHIELD Act expanded the kind of private info that triggers breach notification necessities when uncovered, widening it to particularly embody account numbers, biometric info, credit score or debit card numbers, entry codes, usernames, e mail addresses, passwords, and safety questions and solutions. The SHIELD Act additionally tailored the definition of breach to incorporate not solely the acquisition of information and private info, but additionally the extra basic act of getting knowledge accessed, even absent proof that any knowledge was really obtained by the menace actors. More usually, the SHIELD Act established necessities for companies to take care of cheap knowledge privateness safeguards to guard towards the unauthorized entry or acquisition of private info, together with by integrating knowledge safety applications into their current infrastructure, and requiring them to designate a company result in oversee cybersecurity practices. Beyond broadening the precise phrases, it additionally expanded its attain past corporations who function in New York to cowl corporations that personal or license the knowledge of any resident of the state no matter the place they function.
The knowledge safety compliance requirements expanded by the SHIELD Act have spurred corporations to rework their knowledge privateness infrastructure and set up heightened safety protocols to adequately safeguard private info. The EyeMed Assurance of Discontinuance reinforces the requirements of the SHIELD Act and gives perception into the extra remedial measures that corporations could also be anticipated to absorb the wake of a safety incident.
Investigation and Findings of EyeMed’s Data Security Incident
According to the New York Attorney General’s findings, in late June of 2020 a menace actor accessed a single e mail account at EyeMed which had been utilized by some company shoppers to enter the private info of people for medical insurance coverage functions.2 Over the course of the next week, the menace actor had entry to info spanning the earlier six years in EyeMed’s e mail server.3
At the conclusion of the preliminary week of intrusion, the menace actor additionally used the e-mail account to ship roughly 2,000 phishing emails, which flagged EyeMed’s inside IT division and brought on entry to the e-mail account to be blocked.4
Subsequent investigation concluded that private info of greater than 2 million people and virtually 100,000 residents of New York had been accessed, together with contact info, medical account info, Social Security Numbers, in addition to different classes of personal, personally figuring out info.5
Following the conclusion of the investigation, EyeMed adopted relevant state knowledge breach notification necessities and started notifying people concerning the breach, providing complimentary credit score monitoring and fraud session and id theft monitoring providers.6
Upon investigation, the New York Attorney General’s Office concluded that EyeMed’s cybersecurity protocols didn’t meet sure necessities of §§ 899-aa and 899-bb.7 In explicit, the Attorney General recognized 4 areas of deficiency: authentication, password administration, logging and monitoring, and knowledge retention within the affected e mail account.8 For instance, the New York Attorney General’s Office discovered that EyeMed’s failure to combine multifactor authentication and require enough password complexity, particularly contemplating the existence of net entry and private info of people, fell wanting relevant knowledge privateness requirements. The investigation additionally concluded that after an assault had taken place, EyeMed lacked the requisite logging and monitoring programs for e mail accounts that will have enabled it to conclude with extra certainty what exact knowledge for particular people was accessed. The New York Attorney General’s Office additionally discovered EyeMed’s six yr knowledge retention interval to be unreasonable within the context of the amount of private info that it maintained. Ultimately, the investigation discovered that EyeMed had misrepresented the extent of its cybersecurity safeguards and didn’t adequately meet the requirements set out by New York State knowledge privateness legal guidelines.9
In lieu of pursuing EyeMed for statutory violations, EyeMed and the New York Attorney General’s Office agreed to varied adjustments in EyeMed’s cybersecurity practices and procedures, in addition to a high quality of $600,000.10 With the settlement, the New York Attorney General’s Office strengthened the requirement of a written info safety program and the corresponding mandates to inside cybersecurity infrastructure, such because the appointment of an worker answerable for sustaining it.11 The settlement additionally included necessities to extra adequately keep password complexity and multifactor authentication, in addition to superior info encryption, penetration testing, logging and monitoring, knowledge deletion, and extension of the credit score monitoring and id theft restoration providers offered to people affected by the incident.12
As knowledge breaches and different cyber-attacks turn into ever extra prevalent, it’s crucial that corporations have efficient, up-to-date safeguards in place. The outcomes of the EyeMed investigation reveal that companies working in New York should be sure that their cybersecurity insurance policies and procedures are absolutely compliant with the New York SHIELD Act and different relevant legal guidelines and laws. It is extra essential than ever for corporations to prioritize creating and updating written knowledge safety protocols and knowledge safety applications, to revise knowledge retention insurance policies to restrict the variety of people probably affected by any breach, and to proactively form their cybersecurity infrastructure to offer the absolute best monitoring and response to any potential knowledge safety incident.
1. See Assurance of Discontinuance, In the Matter of Investigation by Letitia James, Attorney General of the State of New York, of Eyemed Vision Care, LLC, Assurance No. 21-071 (Jan. 18, 2022), which has been posted to the New York Attorney General’s Office right here: https://ag.ny.gov/sites/default/files/eyemed_aod_-_final_-_fully_signed.pdf
2. Id. ¶ 1.
3. Id. ¶ 2.
4. Id. ¶ 5.
5. Id. ¶ 2.
6. Id. ¶ 7.
7. Id. ¶ 8.
10. Id. ¶¶ 21-28.
11. Id. ¶ 16.
12. Id. ¶¶ 21-27.
The content material of this text is meant to offer a common information to the subject material. Specialist recommendation ought to be sought about your particular circumstances.