Legal Update
Feb 3, 2022
New York Attorney General’s Office’s Recent EyeMed Investigation Highlights Need to Meet Expanded Data Privacy Standards of New York’s SHIELD Act
Earlier this month, the New York Attorney General’s Office issued findings of its investigation into a data security incident involving EyeMed Vision Care LLC (“EyeMed”) as well as the agreement that it entered into with the company in exchange for not pursuing further statutory charges.[1] The settlement included a fine of $600,000, a marked increase from the $200,000 settlement reached with an online retailer in response to another breach earlier this year.
The findings and agreement are instructive for companies seeking to understand how the New York Attorney General’s Office interprets current requirements for businesses in response to breaches of corporate cybersecurity, particularly in light of New York’s data privacy regulations under the SHIELD Act, and the increasing level of financial penalties levied against companies that are revealed to have inadequate security infrastructure in investigations after a breach.
Background: New York’s SHIELD Act Provides Heightened Data Security Requirements
In March 2020, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, New York’s legislative response to the significant increase in data security incidents, went into effect. The SHIELD Act, through revising General Business Law § 899-aa and adding § 899-bb, heightened requirements for companies in response to data security incidents and expanded definitions contained in the previous data security laws.
Of particular significance, the SHIELD Act expanded the type of personal information that triggers breach notification requirements when exposed, widening it to specifically include account numbers, biometric information, credit or debit card numbers, access codes, usernames, email addresses, passwords, and security questions and answers. The SHIELD Act also adapted the definition of breach to include not only the acquisition of data and personal information, but also the more fundamental act of having data accessed, even absent evidence that any data was actually obtained by the threat actors. More generally, the SHIELD Act established requirements for businesses to maintain reasonable data privacy safeguards to protect against the unauthorized access or acquisition of personal information, including by integrating data security programs into their existing infrastructure, and requiring them to designate a corporate lead to oversee cybersecurity practices. Beyond broadening the specific terms, it also expanded its reach beyond companies who operate in New York to cover companies that own or license the information of any resident of the state regardless of where they operate.
The data security compliance standards expanded by the SHIELD Act have spurred companies to remodel their data privacy infrastructure and install heightened security protocols to adequately safeguard personal information. The EyeMed Assurance of Discontinuance reinforces the standards of the SHIELD Act and provides insight into the additional remedial measures that companies may be expected to take in the wake of a security incident.
Investigation and Findings of EyeMed’s Data Security Incident
According to the New York Attorney General’s findings, in late June of 2020 a threat actor accessed a single email account at EyeMed which had been used by some corporate clients to input the personal information of individuals for medical insurance purposes.[2] Over the course of the following week, the threat actor had access to information spanning the previous six years in EyeMed’s email server.[3]
At the conclusion of the initial week of intrusion, the threat actor also used the email account to send roughly 2,000 phishing emails, which flagged EyeMed’s internal IT department and caused access to the email account to be blocked.[4]
Subsequent investigation concluded that personal information of more than 2 million individuals and almost 100,000 residents of New York had been accessed, including contact information, medical account information, Social Security Numbers, as well as other categories of private, personally identifying information.[5]
Following the conclusion of the investigation, EyeMed followed applicable state data breach notification requirements and began notifying individuals regarding the breach, offering complimentary credit monitoring and fraud consultation and identity theft monitoring services.[6]
Upon investigation, the New York Attorney General’s Office concluded that EyeMed’s cybersecurity protocols did not meet certain requirements of §§ 899-aa and 899-bb.[7] In particular, the Attorney General identified four areas of deficiency: authentication, password management, logging and monitoring, and data retention in the affected email account.[8] For example, the New York Attorney General’s Office found that EyeMed’s failure to integrate multifactor authentication and require sufficient password complexity, especially considering the existence of web access and personal information of individuals, fell short of applicable data privacy standards. The investigation also concluded that once an attack had taken place, EyeMed lacked the requisite logging and monitoring systems for email accounts that would have enabled it to conclude with more certainty what precise data for specific individuals was accessed. The New York Attorney General’s Office also found EyeMed’s six year data retention period to be unreasonable in the context of the volume of personal information that it maintained. Ultimately, the investigation found that EyeMed had misrepresented the extent of its cybersecurity safeguards and failed to adequately meet the standards set out by New York State data privacy laws.[9]
In lieu of pursuing EyeMed for statutory violations, EyeMed and the New York Attorney General’s Office agreed to various changes in EyeMed’s cybersecurity practices and procedures, as well as a fine of $600,000.[10] With the agreement, the New York Attorney General’s Office reinforced the requirement of a written information security program and the corresponding mandates to internal cybersecurity infrastructure, such as the appointment of an employee responsible for maintaining it.[11] The agreement also included requirements to more adequately maintain password complexity and multifactor authentication, as well as advanced information encryption, penetration testing, logging and monitoring, data deletion, and extension of the credit monitoring and identity theft restoration services provided to individuals affected by the incident.[12]
Takeaways
As data breaches and other cyber-attacks become ever more prevalent, it is critical that companies have effective, up-to-date safeguards in place. The results of the EyeMed investigation demonstrate that businesses operating in New York must ensure that their cybersecurity policies and procedures are fully compliant with the New York SHIELD Act and other applicable laws and regulations. It is more important than ever for companies to prioritize creating and updating written data security protocols and information security programs, to revise data retention policies to limit the number of individuals potentially affected by any breach, and to proactively shape their cybersecurity infrastructure to provide the best possible monitoring and response to any potential data security incident.
[1] See Assurance of Discontinuance, In the Matter of Investigation by Letitia James, Attorney General of the State of New York, of Eyemed Vision Care, LLC, Assurance No. 21-071 (Jan. 18, 2022), which has been posted to the New York Attorney General’s Office here: https://ag.ny.gov/sites/default/files/eyemed_aod_-_final_-_fully_signed.pdf
[2] Id. ¶ 1.
[3] Id. ¶ 2.
[4] Id. ¶ 5.
[5] Id. ¶ 2.
[6] Id. ¶ 7.
[7] Id. ¶ 8.
[8] Id.
[9] Id.
[10] Id. ¶¶ 21-28.
[11] Id. ¶ 16.
[12] Id. ¶¶ 21-27.