On October 18, 2022, the New York State Department of Financial Services (DFS) announced that EyeMed Vision Care LLC agreed to a $4.5 million settlement for violating DFS’s Cybersecurity Regulation (23 NYCRR Part 500). The 2020 cybersecurity event contributed to the exposure of hundreds of thousands of consumers’ non-public health data. (The DFS cybersecurity regulation defines a “cybersecurity event” as “an action or attempt, whether or not successful, to gain unauthorized access to information stored on an information system or disrupt or misuse such information system”. 23 NYCRR 500.01(d).)
The Cybersecurity Event
On July 1, 2020, EyeMed discovered that a bad actor gained access (through a successful phishing scheme) to a shared EyeMed emailbox which contained over six years’ worth of consumer nonpublic information (NPI), including that of minors.
MFA Authentication, User Access Privileges, and NPI Disposal Processes
EyeMed, a DFS-regulated company, routinely collects NPI from customers for business purposes. The DFS investigation revealed that EyeMed violated the cybersecurity regulation by failing to timely implement multi-factor authentication (MFA) throughout its email environment. The company also failed to limit user access privileges by allowing nine employees to share the same login credentials to the compromised emailbox.
In addition, EyeMed did not implement sufficient data retention and NPI disposal processes. If the controls were in place in July 2020, the cybersecurity event could have been limited in scope or prevented.