October 16, 2021

Volume XI, Number 289

Advertisement
Advertisement

October 15, 2021

Subscribe to Latest Legal News and Analysis

October 14, 2021

Subscribe to Latest Legal News and Analysis

October 13, 2021

Subscribe to Latest Legal News and Analysis

New York Department of Financial Services Announces a $1.8 Million Settlement with Two Life Insurers for Data Breach Violations

The New York Department of Financial Services (“NYDFS”) recently announced that it has entered into a Consent Order with two affiliated life insurers for alleged violations of New York’s Cybersecurity Regulation (the “NY Cybersecurity Regulation”). The NYDFS conducted an investigation and determined that the two life insurers (the “Companies”) had been the subject of two phishing attacks in 2018 and 2019, which compromised the email accounts of several of the Companies’ employees, providing access to a significant amount of sensitive and personal data of their customers. The NYDFS indicated that its investigation revealed the Companies allegedly violated the NY Cybersecurity Regulation by failing to implement MultiFactor Authentication (“MFA”) without implementing reasonably equivalent or more secure access controls approved in writing by the Companies. Additionally, the NYDFS alleged the Companies falsely certified compliance with the NY Cybersecurity Regulation in 2018 because MFA was not fully implemented. The NYDFS also alleged that the two data breaches resulted in the exposure of numerous non-public personal data belonging to the Companies’ customers.

Under the Consent Order, the Companies agreed to: (1) pay a $1.8 million monetary penalty to the State of New York; (2) conduct a cybersecurity risk assessment within 120 days of the effective date of the Consent Order and submit the assessment results to the NYDFS; and (3) have an independent third party audit conducted of current MFA controls and submit the results to the NYDFS within 120 days of the effective date of the Consent Order to ensure the Companies’ cybersecurity programs fully comply with the NY Cybersecurity Regulation.

The NY Cybersecurity Regulation became effective in March 2017, and it has served as a model to other states, as well as the National Association of Insurance Commissioner’s Insurance Data Security Model Law (“Model Security Law”), which applies to insurers, insurance agents, third party administrators and other entities licensed by the state insurance departments. The Model Security Law requires insurance entities to establish and maintain a cybersecurity program designed to protect the confidentiality and integrity of their Information Systems, as well as any consumer non-public information.

Additionally, the Model Security Law requires covered entities to (1) certify compliance with the Model Security Act annually, (2) have a written incident response plan, (3) develop and maintain a comprehensive written security program based on the entity’s risk assessment, and (4) conduct risk management and risk assessment activities, including employee training and maintaining updates to network systems.

The Model Security Law or related legislation has been adopted in the following states: Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee and Virginia.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XI, Number 193
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Counsel

Jennifer Osborn Nix works diligently for insurance companies, third-party administrators, and other regulated entities to further their goals and help them remain compliant within the 50-state regulatory scheme. She focuses on insurance regulatory and compliance issues, with a primary emphasis on life and health insurance matters.

Jennifer works with many regulated entities, including many in the health care sector, who rely on her for research, advice, strategic counsel, and licensing.

913.234.7472
Steven L. Imber, Polsinelli PC, Insurance Regulatory Attorney, Enforcement Actions Lawyer,
Shareholder

Steve Imber chairs Polsinelli's Insurance Business and Regulatory group.  As a former General Counsel at a state insurance department, Steve Imber has the knowledge and experience to provide quality counsel to insurers, third party administrators, insurance agencies, medical discount plans and other insurance regulated entities. His practice includes representing and assisting clients on multi-state and national licensing projects, research projects, enforcement actions, market conduct examinations, audits and compliance programs and various other regulatory and...

913.234.7469
Zachary R. Dyer Insurance Attorney Polsinelli Kansas City
Shareholder

Zachary Dyer offers practical advice and solutions for insurance industry clients and other entities dealing with this highly specialized field. He represents the interests of insurance and reinsurance companies, producers, MGAs/MGUs, and third-party administrators on a full range of corporate, transactional and regulatory matters including:

  • Multi-state insurance regulatory and corporate matters

  • InsurTech matters

  • Company formation, structuring, capitalization and...

816-360-4352
Shareholder

Justin Liby has a talent for organizing and managing large national and multi-state licensure and research projects. This knack provides him with a solid foundation for crafting and implementing sound, efficient strategies that achieve success for his clients. Justin concentrates his efforts on helping the insurance industry navigate the formidable federal and state regulatory maze to achieve the industry’s business needs. He stays current in the insurance industry's evolution, as well as the legislation and regulatory activity impacting the industry.

...
913-234-7427
Advertisement
Advertisement
Advertisement