On January 24, 2022, New York Attorney General Letitia James announced a $600,000 settlement agreement with EyeMed Vision Care, a vision benefits company, stemming from a 2020 data breach compromising the personal information of approximately 2.1 million individuals across the United States, including nearly 99,000 in New York State (the “Incident”).
This settlement was the result of an enforcement action brought by the NY Attorney General under New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”). Enacted in 2019, the SHIELD Act aims to strengthen protections for New York residents against data breaches affecting their private information. The SHIELD Act imposes expansive data security obligations and updated New York’s existing data breach notification requirements. Our SHIELD Act FAQs are available here.
Notably, EyeMed found itself in the AG’s crosshairs not because of what it did after discovering the Incident, but instead because of what it failed to do beforehand. Specifically, the AG alleged that, pre-Incident, EyeMed had not maintained reasonable safeguards in the areas of authentication, password management, logging and monitoring, and data retention. The AG also alleged that EyeMed’s privacy policy had misrepresented the extent to which it protected the privacy, security, confidentiality, and integrity of personal information.
Based on these findings, the AG successfully secured—in addition to the $600,000 payment—EyeMed’s agreement to maintain a written information security program. This program must include, at minimum, policies and procedures related to password management, authentication and account management, encryption, penetration testing, logging and monitoring, and data retention. EyeMed is required to review this program annually and to provide training to its workforce on compliance with the program’s requirements.
The EyeMed breach stemmed from a common form of cyberattack in which the bad actor gains access to certain of an organization’s email accounts—and to the sensitive data therein. In EyeMed’s case, the bad actor accessed emails and attachments containing a wide range of PHI and PII, including:
- Names;
- Contact information, including addresses;
- Dates of birth;
- Account information, including identification numbers for health insurance accounts and vision insurance accounts;
- Full or partial Social Security Numbers;
- Medicaid and Medicare numbers;
- Driver’s license or other government ID numbers;
- Birth or marriage certificates;
- Medical diagnoses and conditions; and
- Medical treatment information.
EyeMed first became aware of the bad actor’s activities on July 1, 2020—one (1) week after the attacker initially gained access to EyeMed’s email account—and subsequently blocked the bad actor’s access to this account. After conducting an internal investigation and engaging a forensic cybersecurity firm (through outside counsel), EyeMed determined that the bad actor may have exfiltrated documents and information from the account. Beginning on September 28, 2020, EyeMed began notifying affected individuals and regulators about the breach, and offering them identity theft protection services.
The SHIELD Act is far-reaching. It affects any business (including a small business) that holds private information of a New York resident—regardless of whether the organization does business in New York. Under the Act, individuals and businesses that collect computerized data, including private information about New York residents, must implement and maintain reasonable administrative, physical, and technical safeguards.
The fine and non-monetary requirements of the EyeMed settlement are significant and highlight the need for organizations to carefully craft—and regularly revisit—their written information security programs. As the AG made clear when announcing this settlement, enforcing compliance with the SHIELD Act’s mandate that organizations maintain reasonable data security safeguards will be a focal point for her office moving forward.