State Regulators Aggressively Apply Enforcement Actions in Cybersecurity Incidents
Vision health insurance giant EyeMed Vision Care will pay $4.5 million to New York regulators to settle an investigation into its 2020 data breach incident.
A consent order signed by the company prevents it from using its own insurance to pay the multimillion-dollar fine to the state Department of Financial Services. The company must also submit a plan for improving cybersecurity, including full implementation of the multifactor authentication that wasn’t fully activated when the breach occurred.
States are becoming more aggressive in applying enforcement actions against data breaches, say regulatory attorneys.
Hackers were able to penetrate an inbox shared by nine employees and used for enrollment processing that was “protected only by a weak password,” regulators say. Inside the inbox was six years’ worth of customer emails and attachments. EyeMed say a phishing scheme is the most likely culprit.
The Department of Financial Services says hundreds of thousands of consumers’ sensitive data was exposed.
The New York attorney general, in an earlier settlement with EyeMed over the same incident, put the affected breach total at 2.1 million U.S. residents.
EyeMed system administrators detected the attack only after the attacker sent approximately 2,000 phishing emails from the enrollment account asking for customer login credentials.
At the time of the incident, EyeMed was rolling out multifactor authentication after it had migrated to the Microsoft Office 365 email platform in 2018, but it didn’t complete the rollout until September 2020. New York’s cybersecurity regulation for the financial industry mandates multifactor for external access to internal network resources. In multifactor’s absence, CISOs must approve in writing the use of another access control.
Earlier Enforcement Action
This settlement marks the second time EyeMed, an Ohio-based subsidiary of Italian eyeware conglomerate Luxottica Group PIVA, has agreed to a settlement over the incident with New York regulators, having already agreed to a $600,000 settlement in January with the attorney general. EyeMed also pledged in that settlement to implement a slew of cybersecurity improvements (see: NY Fines Vision Benefits Firm $600,000 for 2020 Breach).
Expect more state agencies to respond to consumer data breaches with fines and other requirements. “One by one, states are ramping up protections for personally identifiable information,” says Paul Hales of Hales Law Group, who was not involved in the EyeMed case. Legislators or voters have recently approved privacy laws in California, Colorado, Connecticut, Utah and Virginia.
Some attorneys general are invoking latitude for state enforcement granted by federal laws (see: Debt Collection Firm Reaches Breach Settlement With States).
The growing number of authorities may also mean multiple enforcement actions over a single incident even within a single state, as EyeMed experienced in New York. The state attorney general invoked state consumer protection law and HIPAA as authority for its January settlement.
The Department of Financial Services turned to its own bespoke cybersecurity regulation governing the financial industry.
“Various agencies may not be coordinating with each other because of their respective scope of authority,” says regulatory attorney Rachel Rose, who was not involved in the EyeMed case.