December 1, 2022

Volume XII, Number 335


November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis

Keeping Both Eyes on Cybersecurity

The New York State Attorney General’s finding that EyeMed Vision Care LLC had failed to protect customer data in violation of the NY SHIELD Act provides insights for companies on how to protect information. New York’s SHIELD Act applies, as we have written previously, to any organization owning or licensing the information of a NYS resident, not just organizations located in New York. It requires companies to take reasonable administrative, technical, and physical safeguards to protect collected personal information.

The underlying incident occurred when an attacker gained access to an EyeMed email address for a week, and used it to send 2000 phishing emails to EyeMed clients. During that time, the attacker accessed and had the ability to exfiltrate emails and attachments with customer information from as far back as 2014. EyeMed retained counsel, engaged a reputable forensic cybersecurity firm to assist with their investigation, and offered impacted individuals credit monitoring, fraud consultation, and identify theft restoration.

While the attorney general did not comment on EyeMed’s incident response process, the office felt that the company’s prior actions -or lack thereof- helped lead to the incident. Of particular concern were the following elements:

  • Lack of multi-factor authentication on the compromised web-facing email account.

  • Insufficient password management requirements on the account that contain large volumes of customer information (character length only a minimum of eight; six login attempts were allowed before locking the user account).

  • Account logs only were available for 90 days.

  • Emails stored that had customer information from as far back as 2014.

As a result of the investigation, EyeMed was required to update its internal processes to address these concerns. EyeMed also agreed to pay a $600,000 fine.

Putting it into Practice: In keeping with other guidance from New York, the EyeMed settlement shows that the New York AG has very specific expectations of companies’ data security measures. These include password strength, logging capabilities, and data storage minimization.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 81

About this Author


Charles Glover is an associate in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Charles' practice focuses on breach response, data privacy law, and intellectual property disputes. His representations cover a variety of clients, including national banks, domestic airlines, and entertainment companies.

Charles’ solutions-oriented focus and diverse experience allow him to develop and implement dynamic strategies tailored to meet his clients’ needs. He has helped clients of all sizes and stages...

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...