[co-author: Lauren Harris]*
The New York Department of Financial Services (NYDFS) continues to be a major player in data security enforcement. On Oct. 18, 2022, NYDFS announced that it had entered into a consent order with EyeMed Vision Care LLC (EyeMed) to resolve allegations that EyeMed violated numerous provisions of the NYDFS Cybersecurity Regulation (Cybersecurity Regulation) that contributed to the exposure of non-public sensitive personal health data, including data concerning minors, to cyberattackers. EyeMed agreed to pay a $4.5 million penalty and “agreed to undertake significant remedial measures to better secure its data.” NYDFS’s settlement with EyeMed came days after the New York Attorney General announced a $1.6 million settlement with Zoetop Business Company, Ltd., for alleged cybersecurity failings affecting millions of customers of online retailers SHEIN and ROMWE (see our discussion of that settlement here).
NYDFS’s settlement with EyeMed emphasizes the importance of conducting risk assessments—both specifically to comply with the Cybersecurity Regulation and generally to mitigate cyber risks—and adopting critical email security measures, such as…
