On January 24, 2022, the New York Attorney General (AG) announced a settlement with vision-benefits-provider EyeMed Vision Care, Inc., relating to a 2020 security incident where a threat actor obtained access to an email account that enabled the threat actor to get access to personal information of consumers including, but not limited to, , dates of birth; health insurance accounts and vision insurance accounts ID numbers; Social Security Numbers; Medicaid numbers; Medicare numbers; driver’s license numbers;, and medical treatment information. In total, information for approximately 2.1 million individuals was exposed, including approximately 98,632 New Yorkers.
.The AG began an investigation based on New York’s Executive Law § 63(12) [deception] and General Business Law §§ 349 [deception] and 899-bb. The latter is the 2019 data security law known as the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. EyeMed neither admitted nor denied the AG’s findings in the settlement.
According to the settlement agreement, the threat actor obtained access to the EyeMed email account on approximately June 24, 2020 and not only obtained access to six years’ worth of information, but also began sending 2,000 phishing emails on July 1. Those emails came to the attention of EyeMed’s IT department and also its customers, who complained. EyeMed blocked the threat actor’s access on July 1. EyeMed engaged a forensic investigator, which was unable to determine whether any exfiltration of personal data had occurred, due in part to a lack of log data.
EyeMed notified affected individuals and offered credit monitoring, fraud consultation, identity theft restoration.
Unlike the New York Department of Financial Services’ cybersecurity regulation that applies to financial services, New York’s SHIELD Act applies broadly and contains more general requirements:
Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.
According to the settlement agreement, the AG concluded that EyeMed’s security practices did not meet the requirements of the SHIELD Act with respect to four requirements: authentication, password management, logging and monitoring, and data retention in the email account. More specifically, the AG found with respect to multifactor authentication:
EyeMed failed to implement multifactor authentication (“MFA”) for the affected email account, despite the fact that the account was accessible via a web browser and contained a large volume of consumers’ sensitive personal information. EyeMed was aware of the importance of MFA to reasonable data protections, having required MFA for years before the attack for users to access EyeMed’s VPN.
Similarly, with respect to password management, EyeMed required an 8-character password for the affected email account, while requiring a 12-character password for administrator accounts, which the AG found demonstrated that EyeMed was aware of the importance of password complexity. The settlement also stated that “the password that the attacker used to gain access to the account was insufficiently complex given the sensitivity of the information in the enrollment account.” The settlement also noted that EyeMed “at the time of the attack, EyeMed permitted six failed login attempts before locking out the user ID,” although EyeMed later decreased the number of permitted attempts.
With respect to logging, the AG found that at the time of the attack, EyeMed “limited logging capabilities and did not allow recording of logs for longer than 90 days or permit visibility into an individual’s activities within the email account mailbox.” The AG concluded: “EyeMed failed to maintain adequate logging and monitoring of its email accounts . . .”
With respect to data retention, however, the SHIELD Act is more specific: it requires that a business “dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.” The AG stated:
It was unreasonable to leave personal information in the affected email account for up to six years rather than to copy and store such information in more secure systems and delete the older messages from the affected email account, particularly in light of the unreasonable protections for the affected email account at the time of the breach . . .
To resolve the matter, although EyeMed did not admit or deny the findings, EyeMed agreed to pay the AG $600,000 and to maintain a written information security program addressing the points made above, and to provide encryption of personal information, a “reasonable penetration testing program,” and an annual certification of compliance to the AG for the next three years.
The NY AG’s settlement with EyeMed is noteworthy for several reasons:
(1) The AG appears to use EyeMed’s partial (or incremental) data security measures as evidence that EyeMed understood the value of them, but found its failure to implement them across the organization as evidence of unreasonable security. This potentially dangerous precedent could disincentivize companies from taking data security steps if companies cannot get universal application (which is often technically and administratively difficult). Although organizations should consider the optics of partial implementation, companies should not forgo the risk mitigation of incremental improvements.
(2) The EyeMed settlement shows regulators’ growing and continued emphasis on reasonable record retention and data disposition. Record retention often plays second-fiddle in data security and privacy compliance programs, but the theft of old, unused personal information is something that regulators can quickly identify. A mere retention policy and schedule that employees are not meaningfully following is unlikely to shield an organization from regulatory scrutiny.
(3) Organizations should review how long they retain data security logs and make sure they will have enough information to investigate a cyber incident. Logs should not, and cannot, be kept permanently, but given that threat actors can hide in IT systems for months, retention of a few weeks or 30 days is likely insufficient.