On October 18, 2022, EyeMed Vision Care LLC (“EyeMed”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) relating to a cybersecurity event from 2020 that exposed consumer nonpublic information (“NPI”) to an unauthorized individual. EyeMed agreed to pay DFS a $4.5 million penalty, in addition to implementing mandatory remediation measures, including a comprehensive cybersecurity risk assessment of its information systems (and corresponding action plan for DFS’s review and approval). It is noteworthy that the Consent Order follows EyeMed’s agreement with the New York Attorney General’s Office to pay $600,000 related to the same cybersecurity event in the Assurance of Discontinuance announced earlier this year. The cybersecurity event appears to have been the result of a phishing campaign, which allowed the threat actor access to an email account used by EyeMed to process enrollment (the “Mailbox”) for one week, June 24, 2020-July 1, 2020 (before EyeMed blocked the unauthorized access).
The Consent Order highlighted four material cybersecurity failings that the DFS alleged could have prevented or limited the cybersecurity event:
- Failure to Implement and Maintain Multi-factor Authentication to Protect NPI. At the time of the event, EyeMed was in the process of implementing MFA on its email platform (Microsoft Office 365), but had failed to fully deploy MFA (or equivalent or more secure access controls, approved in writing by EyeMed’s CISO, as required by 23 NYCCRR § 500.12(b)) for all email accounts, including the Mailbox, until September 18, 2020 (well after § 500.12(b) becoming effective on March 1, 2018). According to DFS, by failing to protect EyeMed email accounts with MFA, EyeMed’s information systems and consumer NPI were vulnerable to threat actors. DFS continues to highlight the importance of MFA as an “essential” cybersecurity control, as noted in past guidance.
- Lack of Adequate Risk Assessment. Despite EyeMed engaging various third-party vendors to conduct periodic audits of the company’s IT controls and enterprise risk management reviews, DFS concluded that EyeMed failed to conduct a risk assessment of the Mailbox, in violation of 23 NYCRR § 500.09(a). Even after discovering the cybersecurity event in 2020, EyeMed still did not perform a risk assessment of the Mailbox (“[t]o date, EyeMed has not conducted a Risk Assessment that complies with the requirements of the Cybersecurity Regulation, Section 500.09(a)) (emphasis added). Periodic risk assessments, “a core component of a robust cybersecurity program,” should sufficiently inform the covered entity’s cybersecurity program and, according to DFS, none of EyeMed’s assessments addressed risks associated with NPI stored on the Mailbox.
- Failure To Limit Access User Access Privileges. The login credentials for the Mailbox were shared amongst nine EyeMed employees, protected only by a weak password, making the Mailbox more vulnerable to threat actors.
- Insufficient Data Disposal Policies and Procedures. While the intrusion only lasted for one week, the Mailbox contained consumer NPI dating back six years prior to the cybersecurity event. DFS found that EyeMed “failed to implement a sufficient data minimization strategy and disposal process for the Mailbox,” allowing the threat actor access to NPI that may no longer be necessary for EyeMed’s business operations or other legitimate business purposes, in violation of 23 NYCRR § 500.13. Accordingly, covered entities should carefully review their data retention and disposal policies to ensure that they sufficiently dispose of NPI once they no longer have a legitimate business purpose to retain the NPI.
EyeMed agreed to continue strengthening its cybersecurity controls by, among other things, conducting a comprehensive cybersecurity risk assessment and developing an action plan to address the risks identified in the assessment.