The New York Department of Financial Services (“NYDFS”) recently announced that it has entered into a Consent Order with two affiliated life insurers for alleged violations of New York’s Cybersecurity Regulation (the “NY Cybersecurity Regulation”). The NYDFS conducted an investigation and determined that the two life insurers (the “Companies”) had been the subject of two phishing attacks in 2018 and 2019, which compromised the email accounts of several of the Companies’ employees, providing access to a significant amount of sensitive and personal data of their customers. The NYDFS indicated that its investigation revealed the Companies allegedly violated the NY Cybersecurity Regulation by failing to implement Multi-Factor Authentication (“MFA”) without implementing reasonably equivalent or more secure access controls approved in writing by the Companies. Additionally, the NYDFS alleged the Companies falsely certified compliance with the NY Cybersecurity Regulation in 2018 because MFA was not fully implemented. The NYDFS also alleged that the two data breaches resulted in the exposure of numerous non-public personal data belonging to the Companies’ customers.
Under the Consent Order, the Companies agreed to: (1) pay a $1.8 million monetary penalty to the State of New York; (2) conduct a cybersecurity risk assessment within 120 days of the effective date of the Consent Order and submit the assessment results to the NYDFS; and (3) have an independent third party audit conducted of current MFA controls and submit the results to the NYDFS within 120 days of the effective date of the Consent Order to ensure the Companies’ cybersecurity programs fully comply with the NY Cybersecurity Regulation.
The recent Consent Order continues a trend toward stepped up enforcement of the NY Cyber Security Regulation, as NYDFS builds an enforcement record that clarifies the cybersecurity requirements and strongly incentivizes compliance. Key cases include First American Financial Corporation, the first NYDFS cyber enforcement action to arise out of a data incident1, and Residential Mortgage Services, Inc., the first NYDFS cyber enforcement action to arise out of a routine examination.2 Also noteworthy, as part of ongoing enforcement priorities and approach, are NYDFS’s consent decree with Zoom at the outset of the coronavirus pandemic3 and the agency’s lawsuit and subsequent settlement with Dunkin Donuts, over a series of data compromise incidents that went unreported for a period of years.4
The NY Cybersecurity Regulation became effective in March 2017, and it has served as a model to other states, as well as the National Association of Insurance Commissioner’s Insurance Data Security Model Law (“Model Security Law”), which applies to insurers, insurance agents, third party administrators and other entities licensed by the state insurance departments. The Model Security Law requires insurance entities to establish and maintain a cybersecurity program designed to protect the confidentiality and integrity of their Information Systems, as well as any consumer non-public information. Additionally, the Model Security Law requires covered entities to (1) certify compliance with the Model Security Act annually, (2) have a written incident response plan, (3) develop and maintain a comprehensive written security program based on the entity’s risk assessment, and (4) conduct risk management and risk assessment activities, including employee training and maintaining updates to network systems.
The Model Security Law or related legislation has been adopted in the following states: Alabama, Connecticut, Delaware, Hawaii, Indiana, Iowa, Louisiana, Maine, Michigan, Minnesota, Mississippi, New Hampshire, North Dakota, Ohio, South Carolina, Tennessee and Virginia.
Click here to view the PDF.
More Information on Our Insurance Business and Regulatory Law Team
Polsinelli's Insurance team has experience across the industry including: Accident/Health, HMOs, Brokerage, Captives, Life, Property & Casualty, Reinsurance, Risk Retention Groups, Third Party Administrators, Professional Liability, Public Entity Pooling, Workers Compensation, among others. To learn more about our Insurance Business and Regulatory Law practice or to contact a member of our Insurance Business and Regulatory Law team, visit our Insurance Business and Regulatory Law page.
More Information on Our Privacy and Cybersecurity Team
Polsinelli has assembled a deep, interdisciplinary team that focuses on assisting organizations as they strive to protect information, comply with ever evolving privacy and security regulations and respond to data incidents, regulatory investigations and litigation. To learn more about our Privacy and Cybersecurity practice or to contact a member of our team, visit our Privacy and Cybersecurity page.
1 March 3, 2021 Polsinelli Pulse M&A Litigation Newsletter, “Cyber Comes to the C-Suite: New D&O Exposures in the Aftermath of First American” (John Cleary and Alex Boyd)
2 April 12, 2021 Polsinelli Client Alert, “First NYDFS Cybersecurity Enforcement Action Arising From a Standard Examination Results in $1.5 Million Penalty” (Michael Waters and Jane Petoskey)