Join us on LinkedIn Follow us on Twitter Like us on Facebook Follow us on Instagram
 
  OCTOBER RESEARCH STORE SUBSCRIBE LOG IN
AddControlToContainer_DynamicNavigation3
The Legal Description > News > New York DFS announces $4.5 million cybersecurity settlement

New York DFS announces $4.5 million cybersecurity settlement

Email A Friend Printer Friendly Version
0 comments
Cybersecurity, Regulatory Updates
Wednesday, October 19, 2022

 New York Department of Financial Services (NYSDFS) Superintendent Adrienne Harris announced EyeMed Vision Care LLC will pay a $4.5 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ sensitive, non-public, personal health data, including data concerning minors. 

“It is critically important that consumers’ non-public information is kept safe from potential criminal activity, and DFS’s first-in-the-nation cybersecurity regulation requires New York-regulated entities to take that responsibility seriously,” Harris said. “This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.” 

EyeMed, a licensed health insurance company, collects non-public information from its customers in the normal course of business. The department’s investigation revealed that as a result of a July 1, 2020, phishing attack, a bad actor gained access to a shared EyeMed email mailbox which contained over six years’ worth of consumer non-public information (“NPI”), including that of minors.  

Upon further investigation, the department found that, among other things, EyeMed had violated the department’s cybersecurity regulation by failing to implement multi-factor authentication (MFA) throughout its email environment. Moreover, EyeMed failed to limit user access privileges by allowing nine employees to share login credentials to the affected email mailbox and failed to implement sufficient data retention and disposal processes, resulting in over six years’ worth of consumer data being accessible through the affected email mailbox. Had these controls been in place, the July 1, 2020, cybersecurity event could have been prevented or been limited in scope.  

In addition, the department discovered EyeMed failed to conduct an adequate risk assessment, a core requirement of the cybersecurity regulation, which could have identified the user access privilege and data disposal risks associated with the email mailbox that was subjected to the phishing attack. As a result, EyeMed’s cybersecurity certifications for the calendar years 2018 through 2021 were improper. 

As part of the settlement, EyeMed agreed to undertake significant remedial measures to better secure its data. Among other things, EyeMed will conduct a comprehensive cybersecurity risk assessment and develop a detailed action plan describing how EyeMed will address the risks identified in that assessment. The action plan will be subject to the review and approval of the department.  

Today's other top stories
Bank moves to dismiss fraud liability case brought on by title underwriter
Digital forgery law enacted in Pennsylvania to combat AI scams
FHFA orders GSEs to count crypto as assets for mortgage assessments
California considers updates to ban on unsolicited purchase offers of wildfire-impacted properties
Podcast: Adapting to the Future of Work


COMMENT BOX DISCLAIMER:
October Research is not responsible for the comments posted on its websites by readers. We will do our best to remove comments that include profanity or personal attacks or other inappropriate comments.
Comments:

Be the first to leave a comment.

Leave your comment
Please enter a comment.
CAPTCHA Validation
CAPTCHA
Code:
Please enter the word displayed in the image above. Please enter the word displayed in the image above.
: 
Please enter your name.
: 
Please enter your email address.
This field must contain a valid email address.
Your Email is for reporting purposes only. It will NOT be displayed.
Popularity:
This article has been viewed 1018 times.
News by Topic   News by Edition   In-depth Reports   Events   Subscribe
Court Report
Cybersecurity
Excess Equity
Industry News
Legislative Developments
Regulatory Updates
Remote Online Notarization
The Blotter
The TRID Journey
 
May 26, 2025
June 9, 2025
June 23, 2025
July 7, 2025
Archives
 
2025 State of the Industry
Cybersecurity Today
Technology as a Compliance Tool
Real Estate Compliance Outlook
Title Insurance Alternatives
eClosing Security
Attorney State Perspectives
Technology as a Compliance Tool
Archives
 
 
National Settlement Services Summit (NS3)
Women's Leadership Summit (WLS)
Webinars
 
Newsletter Subscriptions
Free Email Updates
Try a Free Edition
  About   Library   Other Publications  
 
The Legal Description
Contact / Editors
Advertise
Request a Media Kit
Social Media
Are You An Expert?
Subscriber Agreement
 
Blog - Tuesdays with Mary
Cybersecurity Central
Court Cases
Keys to Real Estate Podcast
Legislation
Position Papers
Regulations
RON Resource Center
 
The Title Report
RESPA News
Valuation Review
Dodd Frank Upate
 
                 
Copyright © 2000-2025 The Legal Description
An October Research, LLC publication
3046 Brecksville Road, Suite D, Richfield, OH 44286
(330) 659-6101, All Rights Reserved
www.thelegaldescription.com | Privacy Policy
VISIT OUR OTHER WEBSITES
> The Title Report
> RESPA News
> Dodd Frank Update
> Valuation Review
> NS3 The Summit
> Women's Leadership Summit
> October Research, LLC
> The October Store


Loading... Loading...
Featuring:
  • Delivery 3X a week plus breaking news as it happens
  • Comprehensive title insurance industry news
  • Recent acquisitions, mergers, real estate stats
  • Exclusive in-depth coverage of the industry's hottest stories
Featuring:
  • Delivery 2X a week plus breaking news as it happens
  • Comprehensive Dodd-Frank coverage
  • The latest information from the CFPB
  • Full coverage of Congressional hearings
  • Updates on all agency actions
  • Analysis of controversial provisions
  • Release of newest studies and reports
Sign up today and...
  • Be one of the first to know where NS3 is being held
  • Learn about NS3 speakers and sessions
  • Save on registration with Super-Early Bird rates
  • Discover the networking opportunities NS3 offers
  • Find out if CE credits will be offered for your area
  • And much more
Featuring:
  • Delivery 2X a week plus breaking news as it happens
  • Preview the latest RESPAnews.com Top Story
  • RESPA related headline news
  • Quote of the Week
Featuring:
  • Delivery 2X a week plus breaking news as it happens
  • Legal, regulatory and legislative information impacting the settlement services industry
  • News from HUD, Congress, state legislatures and other regulatory agencies
  • Follow the lobbying efforts of all the major national real estate services organizations.
Featuring:
  • Delivery 2X a week plus breaking news as it happens
  • The industry's only full-time newsroom
  • Relevant, up-to-date appraisal industry news
  • Covering the hottest stories and industry trends
NEWS BY TOPIC
NEWS BY EDITION
IN-DEPTH REPORTS
EVENTS
LIBRARY
FREE EMAIL UPDATES
ABOUT
SUBSCRIBE
Court Report
Cybersecurity
Excess Equity
Industry News
Legislative Developments
Regulatory Updates
Remote Online Notarization
State AG Enforcement
The Blotter
Current Edition
June 23, 2025
June 9, 2025
May 26, 2025
May 12, 2025
Archives
2025 Voice of the Title Agent
2025 State of the Industry
Cybersecurity Today
2024 Title Technology
eClosing Innovations
Real Estate Compliance Outlook
Title Insurance Alternatives
Archives
National Settlement
Services Summit (NS3)
Women's Leadership
Summit (WLS)
Webinars
2025 Economic Outlook Series
Evolving Realtor Relationships
CFPB's Shake-Up & Its Impact
Artificial Intelligence for Title
Industry and Regulatory Outlook
RESPA Updates You Need to Know
Strategies post-NAR settlement
Evolving Consumer Relationships
Fraud Threats Facing Title
Excess Equity
2024 Economic Forecast Series
Securing Your Cyber Network
Webinar Archives
State AG Enforcement
Keys to Real Estate Podcast
Blog - Tuesdays with Mary
Excess Equity Watch
Cyber Solutions Showcase
Cybersecurity Central
eClosing Solutions Showcase
Executive Interview Series
RON Resource Center
Case Law
Legislation
Position Papers
Regulations
By Year
By State
2012
2011
Alabama
Alaska
Arizona
Arkansas
California
Colorado
Connecticut
Delaware
Florida
Georgia
Hawaii
Idaho
Illinois
Indiana
Iowa
Kansas
Kentucky
Louisiana
Maine
Maryland
Massachusetts
Michigan
Minnesota
Mississippi
Missouri
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New Mexico
New York
North Carolina
North Dakota
Ohio
Oklahoma
Oregon
Pennsylvania
Rhode Island
South Carolina
South Dakota
Tennessee
Texas
Utah
Vermont
Virginia
Washington
West Virginia
Wisconsin
Wyoming
Comment Letters
White Papers
Testimony
The Legal Description
Contact Us
Advertise
Request a Media Kit
Are You An Expert?
Subscriber Agreement
Social Media