In a recent settlement with the New York Department of Financial Services, EyeMed Vision Care LLC agreed to pay a $4.5 million penalty and undertake remedial measures to increase its cybersecurity. This includes undertaking an action plan based on a comprehensive risk assessment, subject to the review and approval of NYFSD.

The case stemmed from an October 2020 incident. At that time, a threat actor gained access to an EyeMed email account used by nine employees through a likely phishing attack. The threat actor was then able to view consumer nonpublic information in the email account. NYDFS alleged that EyeMed did not conduct required risk assessments, failed to implement multifactor authentication, and did not have appropriate access controls in place.

The settlement focused on EyeMed’s security practices and its failure to conduct required cybersecurity risk assessments as required by the NYDFS Cybersecurity Regulation.

Putting it Into Practice: This is a reminder for covered entities that the NYDFS Cybersecurity Regulations require companies to conduct periodic risk assessments of information systems and nonpublic information stored on company networks.