The NY Department of Financial Services Announces a $1.8 Million Data Breach Settlement With Life Insurers
The New York Department of Financial Services (“NYDFS”) recently announced that it has entered into a Consent Order with two affiliated life insurers for alleged violations of New York’s Cybersecurity Regulation (the “NY Cybersecurity Regulation”). The NYDFS conducted an investigation and determined that the two life insurers (the “Companies”) had been the subject of two phishing attacks in 2018 and 2019, which compromised the email accounts of several of the Companies’ employees, with access to a significant amount of sensitive and personal data of their customers. The NYDFS indicated that its investigation revealed the Companies allegedly violated the NY Cybersecurity Regulation by failing to implement Multi-Factor Authentication (“MFA”) without implementing reasonably equivalent or more secure access controls approved in writing by the Companies. Additionally, the NYDFS alleged the Companies falsely certified compliance with the NY Cybersecurity Regulation in 2018 because MFA was not fully implemented. The NYDFS also alleged that the two data breaches resulted in the exposure of numerous non-public personal data belonging to the Companies’ customers.
Under the Consent Order, the Companies agreed to: (1) pay a $1.8 million monetary penalty to the State of New York; (2) conduct a cybersecurity risk assessment within 120 days of the effective date of the Consent Order and submit the assessment results to the NYDFS; and (3) have an independent third party audit conducted of current MFA controls and submit the results to the NYDFS within 120 days of the effective date of the Consent Order to ensure the Companies’ cybersecurity programs fully comply with the NY Cybersecurity Regulation.
