![European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources](https://eaccny.com/wp-content/uploads/2020/06/eaccny-logo.png){kind=logo}
Getting an advanced handle on cybersecurity and the attendant fallout from breaches is important, and failure to do so can be very costly on many levels. Not only do breaches regularly result in an onslaught of litigation, bad press and loss of customers and revenue, but companies often are exposed to fines and penalties by state, federal, and international regulators. Even though cybersecurity is frequently cited as one of the top-of-mind issues in C-suites, it’s easy enough to push the granular details of this issue aside, especially given the bombardment of other influential business factors and threats that require immediate, high-level strategic attention.
However, as if we needed a further reminder of the risks of non-compliance with the various levels of cyber requirements, the New York State Department of Financial Services (DFS) recently fined EyeMed Vision Care LLC (“EyeMed”) $4.5 million for violating the DFS’s Cybersecurity Regulation (23 NYCRR Part 500) (“Regulation”).[1] The fine and the DFS’s report on investigation is worth noting, especially given the recently announced proposed New York requirements attributing responsibilities for compliance failures to a company’s board of directors under a proposed Second Amendment to the Regulation.
Recent Enforcement Action
EyeMed is a licensed accident and health insurer that regularly collects nonpublic personal information (NPI) about patients and others. EyeMed was subject to an invasive phishing attack during July 2020, in which a hacker (or hackers) gained access to one of EyeMed’s (many) shared email boxes. The hacked email box contained more than six years of accumulated consumer NPI, including NPI concerning minor individuals. Although EyeMed already was subject to regulatory investigations by the Office of the New York Attorney General (and paid substantial fines arising from that investigation), the DFS initiated its own investigation into the same event that resulted in a separate consent order.
Among other things, the consent order with the DFS stated that EyeMed failed to:
- implement multi-factor authentication throughout its email system[2] as required under 23 NYCRR § 500.12(b);
- limit user access privileges by allowing multiple employees (nine, in fact) to share login credentials to the breach-affected email box, as required under 23 NYCRR § 500.07;
- implement sufficient data retention and disposal processes, resulting in potential exposures to the hacker(s) of more than six years of NPI and other data via access to the affected email box, as required under 23 NYCRR § 500.13; and
- conduct adequate cybersecurity risk assessments, including periodic risk assessments, as required under 23 NYCRR § 500.02(b), 23 NYCRR § 500.03 and 23 NYCRR § 500.09(a).
In the view of the DFS, had these controls timely been in place, this cybersecurity breach would have been prevented or limited in scope. Conducting risk assessments as required likely would have identified the user access privilege and data disposal risks associated with the email box that was subjected to the phishing attack. Similarly, the DFS indicated that addressing employee cybersecurity training at EyeMed undoubtedly could have enabled earlier identification of EyeMed’s vulnerabilities.
As part of the settlement with the DFS, and in addition to the $4.5 million fine, EyeMed agreed to immediately take significant remedial measures to better secure its data, including conducting a comprehensive cybersecurity risk assessment and developing a detailed action plan to address the risks identified in the assessment. Both the risk assessment’s results and the action plan are subject to the review and approval of the Department.
The DFS’s press release stated that the $4.5 million penalty underscores its increasing focus on protecting consumers “while ensuring the safety and soundness of financial institutions from cyber threats,” and other regulators appear to be close behind.
More Regulation on the Horizon
On November 9, 2022, the DFS proposed the Second Amendment to the Regulation. The amendment would strengthen the DFS’s risk-based approach to ensure cybersecurity risk is integrated into business planning, decision-making, and ongoing risk management. The changes would include:
- Creating two tiers of size-based covered entities, further tailoring the Regulation to a diverse set of businesses with different “defensive needs” and increasing the size threshold of smaller, exempt covered entities;
- Significantly increasing governance, reporting and disclosure requirements in order to enhance accountability at the board, the covered entities’ Chief Information Security Officer (CISO) and C-suite levels;
- Implementing additional controls to prevent initial unauthorized access to information systems and to prevent or mitigate the spread of a cyber event;
- Requiring regular risk and vulnerability assessments, as well as more incident response, business continuity and disaster recovery planning; and
- Requiring additional training and cybersecurity awareness programs.
The Second Amendment would impose the ultimate responsibility and liability on the company’s “senior governing body” (aka, the board of directors), CISO (or approved equivalent) and the company’s “highest ranking executive.” These additional responsibilities are similar to the SEC’s proposals, which would impose enhanced oversight responsibilities for cybersecurity risks and generally require that a company’s board receive timely notices of significant cyber issues or events and annual reports about cyber risks and the company’s plans to address potential security breaches.
You can review a summary of the SEC proposed regulations on our website: SEC Issues Proposed Rules on Mandatory Cybersecurity Disclosure.
In addition, covered entities would be required to disclose to the DFS (and other regulators such as the SEC) whether members of the board of directors have sufficient expertise to oversee cybersecurity risks/threats or the company relies on outside cyber consultants. The DFS does not provide guidance as to how covered entities should evaluate the cyber expertise of board members, however, covered entities that fail to adequately comply would be subject to sanctions, including penalties and fines.[3]
It is noteworthy that, under the proposed Second Amendment, covered entities would have 72 hours to notify the DFS about breaches and unauthorized access to accounts that may affect a “material” portion of the company’s data, information, and storage systems. (The term “materiality” also is not defined in the regulation but undoubtedly the DFS would impose additional fines for failure to provide timely notice.) In addition, the board also would be charged with notifying the DFS within 24 hours after any ransomware attack.[4] The DFS states that it recognizes that the degree of board responsibility may vary based upon the company’s size with the most stringent requirements applicable to “Class A Companies” (generally, larger companies by revenue and/or employee base). The Second Amendment also sets forth a litany of enforcement actions available to the DFS, including fines, penalties and other sanctions, depending upon the regulator’s assessment of the violation(s) and the covered entity’s compliance efforts. The Second Amendment is subject to a 60-day review and comment period as of the date of its publication (November 9, 2022). The EyeMed settlement reflects a recent trend of increased regulatory actions[5] and scrutiny following data breaches. Accordingly, businesses have been paying thousands, and in the case of EyeMed and others, millions of dollars to resolve data breach regulatory investigations, and such costs are on top of expenses incurred from the cyberattacks themselves (e.g., digital forensic and other consultant fees, ransom payments). The settlement underscores the importance of companies proactively implementing comprehensive security controls and frequently assessing the quality of their information security programs.
Author:
- Robert Ansehl, Partner, New York | Robert.Ansehl@ThompsonHine.com
Compliments of Thompson Hine LLP – a member of the EACCNY.
[1] The parties’ settlement provides that EyeMed may not seek reimbursement for the fine under any insurance nor take that fine as a deduction for tax purposes.
[2] According to the DFS’s report, EyeMed was in the process of implementing multi-factor authentication at the time of the breach.
[3] Fortunately for EyeMed, the DFS did not rely upon the Second Amendment as guidance and impose even more economic sanctions on the company.
[4] Although the proposal would not prohibit the payment of ransom in order to effect the release of critical data or information, a covered entity would be required to advise the DFS if and why it made a ransom payment, which alternatives were considered, and how and what implications were assessed.
[5] Among others, recently the DFS imposed significant fines and other sanctions on Carnival Cruise Companies and Robinhood Crypto, LLC.
This newsletter may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.