chevron-down Created with Sketch Beta.

ARTICLE

Lessons Learned from EyeMed Vision Care’s Cybersecurity Settlement

Dimple T Shah

Summary

  • EyeMed Vision Care LLC agreed to a $4.5 million settlement for violating the New York State Department of Financial Service’s Cybersecurity Regulation. The violation contributed to the exposure of hundreds of thousands of consumers’ non-public health data.
  • As a result, counsel should keep a few key takeaways from the settlement in mind.
  • Covered entity policies, procedures, and controls must align with the New York cybersecurity regulation.
  • Revisit third-party vendor agreements to ensure audits meet regulation standards and address relevant risks.
Lessons Learned from EyeMed Vision Care’s Cybersecurity Settlement
FG Trade via Getty Images

On October 18, 2022, the New York State Department of Financial Services (DFS) announced that EyeMed Vision Care LLC agreed to a $4.5 million settlement for violating DFS’s Cybersecurity Regulation (23 NYCRR Part 500). The 2020 cybersecurity event contributed to the exposure of hundreds of thousands of consumers’ non-public health data. (The DFS cybersecurity regulation defines a “cybersecurity event” as “an action or attempt, whether or not successful, to gain unauthorized access to information stored on an information system or disrupt or misuse such information system”. 23 NYCRR 500.01(d).)

The Cybersecurity Event

On July 1, 2020, EyeMed discovered that a bad actor gained access (through a successful phishing scheme) to a shared EyeMed emailbox which contained over six years’ worth of consumer nonpublic information (NPI), including that of minors.

MFA Authentication, User Access Privileges, and NPI Disposal Processes

EyeMed, a DFS-regulated company, routinely collects NPI from customers for business purposes. The DFS investigation revealed that EyeMed violated the cybersecurity regulation by failing to timely implement multi-factor authentication (MFA) throughout its email environment. The company also failed to limit user access privileges by allowing nine employees to share the same login credentials to the compromised emailbox.

In addition, EyeMed did not implement sufficient data retention and NPI disposal processes. If the controls were in place in July 2020, the cybersecurity event could have been limited in scope or prevented.

Risk Assessments

EyeMed lacked a regulation-compliant risk assessment to evaluate its information technology system and stored NPI risks. DFS determined that while EyeMed engaged third-party vendors to conduct periodic IT audits and Enterprise Risk Management reviews; none of the performed assessments addressed risks connected with the NPI stored in the email box.

The regulation requires covered entities to certify compliance annually. In light of department findings, EyeMed’s 2017 through 2020 compliance certifications were deemed improper.

Remediation

As a part of settlement, EyeMed agreed to take data protection measures such as conducting a comprehensive cybersecurity risk assessment consistent with the regulation and develop an action plan describing how identified risks will be addressed. The plan is subject to DFS approval.

Key Takeaways

  • Covered entity policies, procedures, and controls must align with the New York cybersecurity regulation. For example, MFA should be deployed for any individual accessing internal networks from an external network. The regulation carves out an exception for a reasonable equivalent or more secure access control. This requires company Chief Information Security Officer written approval. (Recently, Jen Easterly, the Director of Cybersecurity and Infrastructure Security Agency touted the work of Fast Identity Online Alliance [FIDO], an advocacy group of world technology and business leaders. According to Easterly, FIDO has issued “gold standard” protocols to advance password-less authentication.)
  • A robust risk assessment shapes compliant cybersecurity policies. For example, proper NPI disposal policies and practices minimizes the amount of NPI accessible to unauthorized third parties during a cybersecurity event.
  • Revisit third-party vendor agreements to ensure audits meet regulation standards and address relevant risks.

    Author