As mentioned in the initial post in this series, data security laws are emerging with explicit requirements to dispose of unnecessary data. But will regulators take this seriously? The 2022 enforcement actions against EyeMed Vision Care LLC provide $ 5.1 million reasons to conclude yes.
First, some context. Carefully managing data retention and disposal is one of the most effective security safeguards for any business. You can’t have a breach of data your business no longer retains, right? But U.S. state laws mandating reasonable data security for personally identifiable information (PII) traditionally have not required that PII be disposed of once no longer needed. And similarly, data safeguards rules for the financial services sector under the Gramm-Leach-Bliley Act (GLBA) traditionally have not required either data retention policies or disposal of customer data once no longer required for legal compliance or business purposes.
But this began to change in recent years:
- Several states’ PII security laws now specifically require disposal of PII once no longer needed for business purposes (I summarized these developments in a 2021 post). A good example is New York’s SHIELD Act. As of 2020, the SHIELD Act requires businesses that own or license computerized data with PII of a New York resident to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of the PII. To be deemed compliant, such businesses must “dispose of [PII] within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.” N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(C)(4) (emphasis added).
- New York also established sweeping new data security rules specifically for the financial services sector. The Cybersecurity Requirements for Financial Services Companies of the New York State Department of Financial Services (NYDFS) apply broadly to financial services businesses licensed or registered under New York’s Banking Law, Insurance Law, or Financial Services Law. 23 NYCRR § 500.1(c). The NYDFS Cybersecurity Rules broke new ground by requiring covered entities to have “policies and procedures for the secure disposal on a periodic basis of any nonpublic information … that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.” 23 NYCRR § 500.13.
So fine, we now have new data security laws requiring that businesses dispose of unnecessary data. But are regulators actually serious about this? Yes indeed – which brings us to EyeMed Vision Care LLC (EyeMed).
In re EyeMed Vision Care LLC, No. 21-071 (N.Y. January 18, 2022). The New York Attorney General conducted a SHIELD Act investigation of EyeMed in the wake of a data breach involving a hacker’s access to an EyeMed email account. The hacked account containing six years of sensitive personal data provided by 2.1 million EyeMed customers for vision benefits enrollment and coverage purposes. The matter was settled in early 2022. The Assurance of Discontinuance included the Attorney General’s finding that “[i]t was unreasonable to leave personal information in the affected email account for up to six years rather than to copy and store such information in more secure systems and delete the older messages from the affected email account, particularly in light of the unreasonable protections for the affected email account at the time of the breach….” Among other mandates, the Assurance requires EyeMed to “permanently delete customer Personal Information when there is no reasonable business or legal purpose to retain it.” EyeMed was also assessed a penalty of $600,000.
In re EyeMed Vision Care LLC (NYDFS October 18, 2022). EyeMed’s troubles were not over. As an NYDFS licensee due to the insurance aspects of its business, EyeMed was also investigated by NYDFS under its cybersecurity regulations. The parties reached a settlement under an NYDFS consent order in October 2022. Among other findings of cybersecurity failings, NYDFS found that “because EyeMed failed to implement a sufficient data minimization strategy and disposal process for the Mailbox, the compromised shared Mailbox contained old data that was accessible to the threat actor. Proper disposal processes minimize the amount of NPI accessible to an unauthorized third party during a Cyber Event.” Thus, “[a]t the time of the Cyber Event, EyeMed did not have policies and procedures in place for the secure disposal on a periodic basis of NPI contained within the Mailbox that was no longer necessary for business operations or other legitimate business purpose, in violation of 23 NYCRR § 500.13.” The NYDFS consent order required EyeMed to perform a compliant security risk assessment and establish compliant security controls. NYDFS also assessed a civil penalty against EyeMed of $4,500,000, without recourse to tax treatment or insurance reimbursement.
EyeMed offers a cautionary tale. Not only do state-level data security laws increasingly require disposal of unnecessary data, but regulators appear willing and serious in enforcing retention schedule and data disposal mandates.