The New York State Attorney General’s finding that EyeMed Vision Care LLC had failed to protect customer data in violation of the NY SHIELD Act provides insights for companies on how to protect information. New York’s SHIELD Act applies, as we have written previously, to any organization owning or licensing the information of a NYS resident, not just organizations located in New York. It requires companies to take reasonable administrative, technical, and physical safeguards to protect collected personal information.

The underlying incident occurred when an attacker gained access to an EyeMed email address for a week, and used it to send 2000 phishing emails to EyeMed clients. During that time, the attacker accessed and had the ability to exfiltrate emails and attachments with customer information from as far back as 2014. EyeMed retained counsel, engaged a reputable forensic cybersecurity firm to assist with their investigation, and offered impacted individuals credit monitoring, fraud consultation, and identify theft restoration.

While the attorney general did not comment on EyeMed’s incident response process, the office felt that the company’s prior actions -or lack thereof- helped lead to the incident. Of particular concern were the following elements:

  • Lack of multi-factor authentication on the compromised web-facing email account.
  • Insufficient password management requirements on the account that contain large volumes of customer information (character length only a minimum of eight; six login attempts were allowed before locking the user account).
  • Account logs only were available for 90 days.
  • Emails stored that had customer information from as far back as 2014.

As a result of the investigation, EyeMed was required to update its internal processes to address these concerns. EyeMed also agreed to pay a $600,000 fine.

Putting it into Practice: In keeping with other guidance from New York, the EyeMed settlement shows that the New York AG has very specific expectations of companies’ data security measures. These include password strength, logging capabilities, and data storage minimization.