Frankfurt Kurnit Klein & Selz

October 26th, 2022

New York Regulator Says Even One Access Control Failure Can Invalidate Years of Compliance Certifications

The New York Department of Financial Services (“NYDFS”) recently entered into a Consent Order (the “Consent Order”) with EyeMed Vision Care LLC (“EyeMed”) over violations of the agency’s Cybersecurity Requirements (23 NY CRR Part 500) (“Part 500”). NYDFS alleged that EyeMed’s actions contributed to “exposure of hundreds of thousands of consumers’ sensitive, non-public, personal health data, including data concerning minors.”  Under the Consent Order, EyeMed was required to pay $4.5 million, one of the highest penalties ever assessed by NYDFS for Part 500 violations. The Consent Order arguably expands current regulatory requirements for NYDFS-covered entities. Given the widespread recognition of NYDFS as a leader in cybersecurity regulation -- including adoption by the FTC of NYDFS-based requirements in revisions to the Gramm-Leach-Bliley Act Safeguards Rule – the Consent Order may serve as a precedent for other privacy and data security regulators. Here’s what readers need to know.

What happened?

The Consent Order set forth these facts[1]:

In June, 2020, a threat actor accessed an EyeMed email mailbox through a phishing attack. EyeMed had used the mailbox to process enrollment and to communicate with EyeMed group clients. As a result, the mailbox contained six years of “nonpublic personal information” as defined by Part 500. The threat actor sent 2,000 phishing emails from the mailbox in July 2020. EyeMed discovered the breach and turned off access to the mailbox at that time.

Nine EyeMed employees had access to the mailbox. Each of these employees used the same password. In addition, the mailbox did not have multifactor authentication enabled. NYDFS determined that these facts constituted a significant cybersecurity gap that violated Part 500.

In September 2020, EyeMed began notifying individuals and states’ Attorneys Generals. In January, 2022, the New York Attorney General, Letitia James, fined EyeMed $600,000 and required the company to improve specified cybersecurity practices. 

Which rules were violated?

The Consent Order specifies 7 violations of Part 500:

 1. 23 NYCRR § 500.02(b), which requires Covered Entities to maintain a cybersecurity program based on the Covered Entity’s Risk Assessment;

 2. 223 NYCRR § 500.03, which requires Covered Entities to implement and maintain a cybersecurity policy based on the Covered Entity’s Risk Assessment and address information security, access controls and identity management, customer data privacy, and risk assessment;

 3. 23 NYCRR § 500.07, which requires Covered Entities to limit user access privileges to Information Systems that provide access to Nonpublic Information;

 4. 23 NYCRR § 500.09(a), which requires Covered Entities to conduct a periodic Risk Assessment of the Covered Entity’s Information Systems, sufficient to inform the design of the cybersecurity program;

 5. 23 NYCRR § 500.12(b), which requires Covered Entities to implement multi-factor authentication for all users, or reasonably equivalent or more secure access controls approved in writing by the Chief Information Security Officer;

 6. 23 NYCRR § 500.13, which requires Covered Entities to include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information; and

 7. 23 NYCRR § 500.17(b), which requires Covered Entities to annually certify compliance with the Cybersecurity Regulation.

An expansion of current law.

Some of the violations cited, such as the failure to have multifactor authentication on the mailbox at issue (violation 5), have appeared in prior consent orders.  However, this Consent Order includes new areas of focus, as well as interpretations of Part 500 that arguably expand current regulatory requirements.   

First, in violation 6, NYDFS interprets Part 500.13 to be a complete data minimization requirement.  However, Part 500.13 is written as a secure data disposal requirement. 

“As part of its cybersecurity program, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of any nonpublic information identified in section 500.1(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.” (emphasis added)

NYDFS contends that more data was available to the threat actor as a result of EyeMed’s failure to securely dispose of certain data, because EyeMed did not use appropriate data minimization practices.  This is an aggressive reading of Part 500.13.  By interpreting the data disposal requirement to equal data minimization, NYDFS has expanded the regulatory requirement, without providing an opportunity for comment. 

• Second, there is an even more aggressive set of interpretations by NYDFS in the Consent Order that places covered entities in greater regulatory peril.  Linked together, this is the result:
• because multiple people had access to a single mailbox with a single password, NYDFS determined that EyeMed did not have appropriate access controls,
• because there were not appropriate access controls on the mailbox, and there was not a specific reference to controls for the mailbox in EyeMed’s Risk Assessment, the entire Risk Assessment failed to be an “adequate” Risk Assessment on Part 500, and therefore, no Risk Assessment under Part 500.9 existed,
• because the Risk Assessment is the core requirement of Part 500, failure to have an “adequate” Risk Assessment meant that it was not possible for EyeMed to have properly certified compliance with Part 500 pursuant to Part 500.17(b), and
• therefore, EyeMed was determined to have falsely certified compliance for all years at issue (2017-2020). 

Good faith filings were insufficient.

NYDFS states in the Consent Order:

“Although EyeMed’s certifications were timely and, the Company asserts, made in good faith when filed, in light of the foregoing findings, EyeMed was not in compliance with the Cybersecurity Regulation at the time of the certifications. Thus, EyeMed’s certifications filings for the calendar years 2017 through 2020, attesting to its compliance with the Cybersecurity Regulation, were improper.” (emphasis added)

Take-aways.

These new NYDFS interpretations create significant complications for covered entities who make good faith efforts to comply with Part 500. Part 500.9 does not on its face require that Risk Assessments be done at a “component” level.  The Security and Exchange Commission had included this type of requirement in its Investment Adviser Rule Proposal in February[2]. The SEC received comments[3] on this approach, as it does not comport with current standards in information security. This interpretation also appears to go beyond the NYDFS proposal for revisions to Part 500 that was published for comment.

NYDFS is seen as a leader in cybersecurity regulations, and the Part 500 requirements have been adopted or copied indirectly by federal and state regulators and legislatures. For example, the National Association of Insurance Commissioners adopted a Model Data Security Law (the “Model Law”) largely based on Part 500 in 2017, and over 15 states have passed laws based on the Model Law. The Depository Trust & Clearing Corporation formally recognized Part 500 certifications in their Cybersecurity Rule Filings in 2019. The Federal Trade Commission publicly adopted many Part 500 requirements in its updates to the Standards for Safeguarding Customer Information, otherwise known as the Safeguards Rule. The Securities and Exchange Commission clearly reviewed Part 500 in drafting the proposed Cybersecurity Rule for investment advisers and investment companies. And the NY Attorney General appears to have used prior NYDFS consent orders as a model for her enforcement action against EyeMed.  

Virtually all data breaches result from a control failure that was not identified in a risk assessment. This new NYDFS interpretation will both increase the complexity of the risk assessment process, and the inevitability of a regulatory failure if a data breach does occur. Covered entities should reassess their Risk Assessment policies and procedures in light of this new NYDFS interpretation; they now appear to need to have audit-ready compliance programs that map the manner in which each element of the cybersecurity program complies with Part 500.  Good faith attempts to comply with Part 500 may not be enough to avoid regulatory sanctions.

Companies in other industries should expect Attorneys’ General and other regulators to consider these interpretations as well. IT and Cybersecurity organizations are becoming more highly regulated in the US.  Compliance programs – not just information security programs - need to keep up.

If you have questions about the EyeMed Vision Care Consent Order, or about other privacy and data security compliance issues, please contact Rick Borden at (212) 705-4884 or rborden@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.

___________________

[1.] https://www.dfs.ny.gov/system/files/documents/2022/10/ea20221018_eyemed.pdf

[2.] https://www.sec.gov/rules/proposed/2022/33-11028.pdf

[3.] See https://www.sec.gov/comments/s7-04-22/s70422-20123280-279547.pdf at p.12.