Press "Enter" to skip to content

Violations of New York Cybersecurity Regulations Result in $4.5 Million Penalty

nydfs cybersecurity regulationsThe Superintendent for the New York Department of Financial Services recently announced a consent order assessing a $4.5 million penalty against a health insurance company for violations of the DFS Cybersecurity Regulations, 23 NYCRR, Part 500

The regulations apply to a “covered entity,” defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

In this case, a phishing attack likely allowed unauthorized access to six years’ worth of consumers’ non-public information. According to DFS, the company failed to:

  1. implement multi-factor authentication (§ 500.12);
  2. limit user access privileges (§ 500.07);
  3. implement sufficient data retention and disposal processes (§ 500.13); and
  4. conduct an adequate risk assessment (§ 500.09).

In addition to the monetary penalty, the company is required conduct a comprehensive risk assessment, to include: a) reasonably necessary changes to address material issues identified in the assessment; b) plans for revisions of controls to respond to technological developments and evolving threats; and c) plans for updating or creating additional written policies and procedures.

To its credit, the company’s “commendable cooperation throughout [the] investigation” was acknowledged by DFS as well as its “ongoing and completed efforts to remediate the shortcomings identified in this Consent Order.”  This is contained in the “Monetary Penalty” section of the Consent Order, so presumably this favorable conduct had a positive impact on the amount of the penalty.

PROPOSED AMENDMENTS TO CYBERSECURITY REGULATIONS

DFS recently announced proposed amendments to its Cybersecurity Regulations that, if implemented, would require:

  • The creation of three tiers of companies, further tailoring the regulation to a diverse set of businesses with different defensive needs. Furthermore, based on feedback from the industry and in recognition of the realities of operating a small business, the proposed amendment increases the size threshold of smaller companies that are exempt from many parts of the regulation;   
  • Enhanced governance requirements, thereby increasing accountability for cybersecurity at the Board and C-Suite levels;  
  • Additional controls to prevent initial unauthorized access to technology systems and to prevent or mitigate the spread of an attack;  
  • Requiring more regular risk and vulnerability assessments, as well as more robust incident response, business continuity and disaster recovery planning; and  
  • Directing companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.  

DFS is accepting public comment on the proposed amendments through Jan. 9, 2023. For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit https://mauricewutscher.com/data-privacy-and-security/.

Photo: finecki/stock.adobe.com

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.