September 28, 2022

Volume XII, Number 271

Advertisement

September 27, 2022

Subscribe to Latest Legal News and Analysis

September 26, 2022

Subscribe to Latest Legal News and Analysis

$600,000 Reasons To Review Your SHIELD Act Compliance Program: NY Attorney General Announces Significant Settlement Stemming From Email Data Breach

On January 24, 2022, New York Attorney General Letitia James announced a $600,000 settlement agreement with EyeMed Vision Care, a vision benefits company, stemming from a 2020 data breach compromising the personal information of approximately 2.1 million individuals across the United States, including nearly 99,000 in New York State (the “Incident”).

This settlement was the result of an enforcement action brought by the NY Attorney General under New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”). Enacted in 2019, the SHIELD Act aims to strengthen protections for New York residents against data breaches affecting their private information.   The SHIELD Act imposes expansive data security obligations and updated New York’s existing data breach notification requirements.  Our SHIELD Act FAQs are available here.

Notably, EyeMed found itself in the AG’s crosshairs not because of what it did after discovering the Incident, but instead because of what it failed to do beforehand.  Specifically, the AG alleged that, pre-Incident, EyeMed had not maintained reasonable safeguards in the areas of authentication, password management, logging and monitoring, and data retention.  The AG also alleged that EyeMed’s privacy policy had misrepresented the extent to which it protected the privacy, security, confidentiality, and integrity of personal information.

Based on these findings, the AG successfully secured—in addition to the $600,000 payment—EyeMed’s agreement to maintain a written information security program.  This program must include, at minimum, policies and procedures related to password management, authentication and account management, encryption, penetration testing, logging and monitoring, and data retention.  EyeMed is required to review this program annually and to provide training to its workforce on compliance with the program’s requirements.

The EyeMed breach stemmed from a common form of cyberattack in which the bad actor gains access to certain of an organization’s email accounts—and to the sensitive data therein.  In EyeMed’s case, the bad actor accessed emails and attachments containing a wide range of PHI and PII, including:

  • Names;

  • Contact information, including addresses;

  • Dates of birth;

  • Account information, including identification numbers for health insurance accounts and vision insurance accounts;

  • Full or partial Social Security Numbers;

  • Medicaid and Medicare numbers;

  • Driver’s license or other government ID numbers;

  • Birth or marriage certificates;

  • Medical diagnoses and conditions; and

  • Medical treatment information.

EyeMed first became aware of the bad actor’s activities on July 1, 2020—one (1) week after the attacker initially gained access to EyeMed’s email account—and subsequently blocked the bad actor’s access to this account.  After conducting an internal investigation and engaging a forensic cybersecurity firm (through outside counsel), EyeMed determined that the bad actor may have exfiltrated documents and information from the account.  Beginning on September 28, 2020, EyeMed began notifying affected individuals and regulators about the breach, and offering them identity theft protection services.

The SHIELD Act is far-reaching.  It affects any business (including a small business) that holds private information of a New York resident—regardless of whether the organization does business in New York. Under the Act, individuals and businesses that collect computerized data, including private information about New York residents, must implement and maintain reasonable administrative, physical, and technical safeguards.

The fine and non-monetary requirements of the EyeMed settlement are significant and highlight the need for organizations to carefully craft—and regularly revisit—their written information security programs.  As the AG made clear when announcing this settlement, enforcing compliance with the SHIELD Act’s mandate that organizations maintain reasonable data security safeguards will be a focal point for her office moving forward.

Jackson Lewis P.C. © 2022National Law Review, Volume XII, Number 47
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Damon Silver, Employment Lawyer, Corporate Matters, Jackson Lewis
Associate

Damon W. Silver is an Associate in the New York City, New York, office of Jackson Lewis P.C.

In his Privacy, e-Communication and Data Security practice, Mr. Silver advises clients in various industries on compliance with federal and international privacy laws, including HIPPA, the ADA, GINA, FMLA, the TCPA, FCRA, and the EU-U.S. Privacy Shield. He also provides guidance to organizations on data breach prevention and response. 

In the area of employment litigation, Mr. Silver defends...

212-545-4063
Gregory Brown Employment Lawyer Jackson Lewis Law Firm
Associate

Gregory C. Brown, Jr. is an associate in the New York City, New York, office of Jackson Lewis P.C. His practice focuses on representing employers in workplace law matters, including pre-litigation claims and litigation, as well as preventive advice and counseling.

Gregory’s practice involves defending employers against claims of discrimination, harassment, and retaliation before federal and state courts and administrative agencies. As a member of the firm’s Privacy, Data, and Cybersecurity group, Gregory also assists employers in navigating emerging issues...

212-545-4000
Advertisement
Advertisement
Advertisement