New York Financial Services EyeMed Regulation Emphasizes Risk Assessment and Email Control | Davis Wright Tremaine LLP

[co-author: Lauren Harris]*

The New York Department of Financial Services (NYDFS) continues to be a major player in the enforcement of data security. October 18, 2022, NYDFS announcement that he had entered a consent order with EyeMed Vision Care LLC (EyeMed) to resolve allegations that EyeMed violated numerous provisions of the NYDFS Cybersecurity Regulations (Cybersecurity Regulation) which contributed to exposing non-public sensitive personal health data, including data concerning minors, to cyber attackers. EyeMed agreed to pay a $4.5 million fine and “agreed to take significant corrective action to better secure its data.” NYDFS’ settlement with EyeMed came days after the New York Attorney General announced a $1.6 million settlement with Zoetop Business Company, Ltd., over alleged cybersecurity lapses affecting millions of customers online retailers SHEIN and ROMWE (see our discussion of this regulation here).

NYDFS settlement with EyeMed highlights the importance of conducting risk assessments – both specifically to comply with cybersecurity regulations and generally to mitigate cyber risks – and adopting email security measures critical, such as multi-factor authentication (MFA), access controls, and data retention and disposal requirements.

Additionally, NYDFS released proposed amendments to the cybersecurity regulations yesterday, November 9, 2022. We discussed an earlier version of these amendments in a previous post and will discuss the newly proposed amendments in an upcoming post. Companies subject to cybersecurity regulations should continue to monitor NYDFS enforcement and regulatory activities in this area.

Cyber ​​Security Regulations

The NYDFS Cybersecurity Regulations, which went into effect in 2017, require covered entities (those operating under the New York Banking Law, Insurance Law, or Financial Services Law, subject to of several exceptions) that they “maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s information systems.”[1] Covered entities must conduct a risk assessment – a fundamental requirement of cybersecurity regulations – and must adopt various protective measures based on the results of its risk assessment, including multi-factor authentication, encryption, training, a incident response plan and vendor monitoring.

The cybersecurity regulations apply broadly to “non-public information,” which includes sensitive commercial information, listed categories of personally identifiable information, and information relating to an individual’s health or healthcare.[2] Covered entities are also required to notify the NYDFS Superintendent of “cybersecurity events” within 72 hours and submit annual certifications of compliance with cybersecurity regulations.[3] The Cybersecurity Regulations served as a model for several other data security laws and frameworks, including the FTC’s Revised Safeguard Rule under the Gramm-Leach-Bliley Act (discussed in our blog post and online seminar).

NYDFS findings against EyeMed

EyeMed is an approved health insurance provider. According to NYDFS findings in the Consent Order, an unauthorized person gained access to an EyeMed email account from June 24, 2020 to July 1, 2020. Nine EyeMed employees shared login credentials for this email account , which the company used to process and report on vision care insurance enrollments.

Through the intrusion, the attacker was able to access and view emails and attachments containing non-public personal information dating back six years. According to the NYDFS press release announcing the settlement, the breach “contributed to the exposure of hundreds of thousands of consumers’ sensitive, non-public personal health data, including data about minors.” EyeMed suspected but could not confirm that the attacker gained access to the mailbox through a phishing attack. The mailbox contained more than six years of consumer data, including that of minors. However, the mailbox had not enabled MFA when the attack occurred and was protected by a weak password shared by nine employees, which made it more vulnerable to threat actors.

DFS found that, among other violations, EyeMed failed to:

  • Carry out an adequate risk assessment. The consent order refers to risk assessments as “an essential component of a robust cybersecurity program.” Although EyeMed has conducted “third-party audits of its IT controls and enterprise risk management reviews,” the NYDFS found that these assessments did not meet cybersecurity regulation requirements. Additionally, none of the assessments addressed the risks posed by the storage of non-public personal information in the shared mailbox. According to NYDFS, failure to conduct an adequate risk assessment both violates the cybersecurity regulation itself and may lead to other violations. For example, if EyeMed had assessed the risk of storing sensitive data in the shared mailbox, it could have adopted MFA and other security controls before the attack.
  • Implement MFA in their messaging system. NYDFS has made it clear that in most cases multi-factor authentication should be implemented to protect email accounts that store non-public information.[4] NYDFS issued guidelines in December 2021 stating that MFA should be used to secure both on-premises and cloud-based email systems. EyeMed was in the process of deploying MFA for its cloud-based Office 365 email system, but had not yet deployed MFA for the shared email account before the attack.
  • Limit user access privileges. NYDFS discovered that EyeMed violated the cybersecurity regulation’s requirement to limit users’ access privileges to non-public information in the way it shared access to the compromised mailbox. Nine EyeMed employees shared login credentials to access this mailbox and, presumably to facilitate access to the mailbox, the mailbox was only protected with a weak password.
    • Shared mailboxes are common targets for phishing attacks because they tend to have weaker access controls (to make sharing easier) and typically receive a wide range of content from many different senders, making harder for mailbox users to determine which emails are real and which are phishing.
  • Implement sufficient data retention and disposal processes. NYDFS discovered that the compromised mailbox contained a large amount of non-public information, much of which was old and no longer needed for business purposes. However, EyeMed lacked data minimization or disposal procedures for the mailbox, giving the attacker access to a considerable amount of sensitive information and resulting in a violation of the privacy regulations requirement. cybersecurity to maintain secure deletion procedures.
    • Inadequate data minimization and deletion procedures for email accounts is a major data security issue in many businesses. It’s common for employees to store large amounts of sensitive information in their email accounts, along with tons of non-sensitive messages and attachments, and retain this information indefinitely. When these email accounts are compromised, significant data breaches often result. Companies should require employees to manage sensitive information outside of email, such as using secure transfer sites to transmit sensitive data and moving sensitive information to secure document storage systems for long-term storage. term, and should consider adopting automatic deletion policies for email accounts. , as far as possible.

As a result of these findings, NYDFS determined that EyeMed submitted improper certifications of compliance with the Cybersecurity Regulations from 2017 to 2020. In addition to paying the $4.5 million fine, EyeMed agreed to put implemented numerous corrective actions to better secure customer information, including conducting a comprehensive cybersecurity risk assessment and developing a detailed action plan outlining how the company will address the risks identified in that assessment.

Conclusion

In New York and elsewhere, regulators actively enforce data breach notification and data security laws, resulting in millions of dollars in settlements for alleged breaches. Companies should be prepared for regulators’ scrutiny of their data security practices, including whether they use up-to-date, industry-standard technical controls, such as hashing and encryption protocols.

Companies subject to cybersecurity regulations should also be aware that in July 2022, NYDFS released draft amendments to cybersecurity regulations, including requirements for senior management to address cybersecurity issues, which we have discussed in this document. blog post.

*Lauren graduated in 2022 from Georgetown University School of Law. Lauren was a summer associate at DWT’s Washington, DC office and is now full-time with DWT awaiting admission to the DC bar.


[1] 23 CRR-NY § 500.2.

[2] 23 CRR-NY § 500.1.

[3] 23 CRR-NY § 500.17.

[4] Under cybersecurity regulations, MFA must be used to access an internal network from an external network (e.g., Internet) “unless the CISO of the covered entity has approved by writes the use of reasonably equivalent or more secure access controls”. 23 CRR-NY § 500.12(b). NYDFS considers a cloud-based email account to be an “internal network” for the purposes of this requirement and therefore should generally be secured with MFA. See, for example, FAQ 18 of the NYDFS Cybersecurity Regulation FAQ: https://www.dfs.ny.gov/industry_guidance/cybersecurity.

[View source.]

Add Comment