Zachary Dyer, Steven Imber, Justin Liby, and Jennifer Osborn Nix of Polsinelli write:
The New York Department of Financial Services (“NYDFS”) recently announced that it has entered into a Consent Order with two affiliated life insurers for alleged violations of New York’s Cybersecurity Regulation (the “NY Cybersecurity Regulation”). The NYDFS conducted an investigation and determined that the two life insurers (the “Companies”) had been the subject of two phishing attacks in 2018 and 2019, which compromised the email accounts of several of the Companies’ employees, with access to a significant amount of sensitive and personal data of their customers. The NYDFS indicated that its investigation revealed the Companies allegedly violated the NY Cybersecurity Regulation by failing to implement Multi-Factor Authentication (“MFA”) without implementing reasonably equivalent or more secure access controls approved in writing by the Companies. Additionally, the NYDFS alleged the Companies falsely certified compliance with the NY Cybersecurity Regulation in 2018 because MFA was not fully implemented. The NYDFS also alleged that the two data breaches resulted in the exposure of numerous non-public personal data belonging to the Companies’ customers.
Read more on JDSupra