NYDFS Fines EyeMed $4.5 Million for Cybersecurity Violations
2 Minute Read
On October 18, 2022, the New York State Department of Financial Services (“NYDFS”) announced that EyeMed Vision Care LLC (“EyeMed”) agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.
In the phishing attack, which lasted for several days in June and July 2020, a threat actor gained access to an EyeMed email folder that contained six years’ worth of sensitive, personal health data, including data concerning minors. The NYDFS’s consent order notes that EyeMed’s failure to comply with the Cybersecurity Regulation left EyeMed vulnerable to threat actors. Specifically, the regulator found that EyeMed failed to implement multi-factor authentication in its email systems, did not limit user access privileges to accounts containing sensitive information, and failed to implement sufficient data retention and disposal protocols. According to the consent order, the mailbox containing sensitive consumer information was protected by a weak password that was shared by nine employees. The NYDFS also discovered that EyeMed failed to conduct adequate cybersecurity risk assessments, and as a result, the company’s cybersecurity certifications for the calendar years 2017 through 2020 were “improper.”
As part of the settlement, EyeMed agreed to conduct a comprehensive cybersecurity risk assessment and prepare an action plan that addresses the risks identified in that assessment.
You May Also Be Interested In
5 Minute Read
April 8, 2026
A recent summary judgment order is a reminder that, in insurance coverage disputes, straightforward arguments can still win the day. In a coverage action arising from dozens of underlying personal injury suits, the court adopted a clear, text-based approach to the duty to defend—and ordered the insurer to provide a defense.
3 Minute Read
March 30, 2026
The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.
3 Minute Read
March 25, 2026
On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.
3 Minute Read
March 18, 2026
The post-COVID real estate market has seen a surge in luxury gyms and fitness spaces. Members are willing to shell out several hundred dollars a month for memberships at popular high-end fitness chains. These modern luxury gyms offer more than just workout spaces. Many offer holistic lifestyle services such as spas, hair salons, social amenities, co-working spaces, and daycare. These luxury gyms are gaining larger footprints and emerging as a unique retail asset.
Search
Recent Posts
Categories
- Advertising & Marketing
- Bankruptcy
- Class Action
- Competition/Antitrust
- Consumer Protection
- Corporate Governance
- Environmental
- General
- Health Care
- Insurance
- IP
- Labor and Employment
- Mergers & Acquisitions
- News & Events
- Patent Infringement
- Patents
- Privacy & Cybersecurity
- Product Liability
- Real Estate
- Regulatory
- Technology & E-Commerce
Tags
- 29 C.F.R. § 785.48
- 396-r
- 3D Printer
- 3D Printing
- A. Todd Brown
- A.S. Research (ASR)
- Aaron P. Simpson
- Accountability
- Administrative Agencies
- Administrative Exemption
- Advertisers
- Advertising
- Advertising Claims
- Advertising Guidelines
- Advertising Idea
- Agency Guidance
- Agency Principles
- AI
- AI Interviewing Platforms
- AI Technology Reviews
- AIA
- Air
- Algorithmic Accountability Act
- Align
- Americans with Disabilities Act
- Americans with Disabilities Act (ADA)
- Andrea DeField
- Ann Marie Buerkle
- Annual Reports
- anti-aging
- Anti-Discrimination
- APEX Agreement
- Arbitration
- Arbitration Agreements
- Arizona
- Arkansas
- Arthritis
- Artificial Intelligence
- Artificial Intelligence (AI)
- Asbestos
- Assembly Bill 51 (AB 51)
- ATDS
- Australia
- Auto-renewals
- Automatic Telephone Dialing System (ATDS)
- Automobile
- Automotive Body Parts Association (ABPA)
- Back to Work Emergency Ordinance
- biased endorsements
- Biden Administration
- Biometric Data
- Biometric Information
- Biometric Information Privacy Act (BIPA)
- BIPA
- Bitcoin
- Blockchain
- Board Diversity Disclosure
- Boards of Directors
- Bonuses
- Braille
- Branding
- Breach
- Breach of Contract
- Business Interruption
- Business Interruption Loss
- Businessowner’s Insurance
- Buy Now, Pay Later
- California
- California Air Resources Board
- California Assembly Bill 2011
- California Employment Laws
- California Fair Employment and Housing Act
- California False Claims Act
- California Labor Code
- California Legislation
- California Senate Bill 6
- California’s Unfair Competition Law
- CAMS
- Canada
- Cannabis
- CARB
- CBD
- CBP
- CCPA
- Celebrity Endorsers
- Center for Disease Control (CDC)
- CFIUS
- CGL
- Chatbot
- Children’s Advertising
- Children’s Advertising Review Unit
- Children’s Online Privacy Protection Act (COPPA)
- China
- Christopher J. Dufek
- Christopher W. Hasbrouck
- Christy Kiely
- CIPA
- Class Action
- Class Action Litigation
- Class Actions
- Clawback
- Click-to-Cancel
- Climate Change
- Climate Disclosure
- clinical trials
- Collective Action
- Colorado
- Commerce Clause
- Commercial General Liability
- Commercial Leasing
- Commercial Messaging
- Commercial Products
- Commercial Real Estate
- Commodity Futures Trading Commission
- Compensation
- Compliance
- Confidentiality
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Advertising
- Consumer Data
- Consumer Financial Protection Bureau
- Consumer Fraud
- consumer loyalty program
- Consumer Privacy
- Consumer Product Safety Act
- Consumer Products
- Consumer Products Safety Commission (CPSC)
- Consumer Protection
- Consumer Review Fairness Act of 2016 (CRFA)
- Consumer Reviews
- Consumer Rights
- Contamination
- Contract Law
- Controlled Substance Act
- Cookies
- Cookware
- COPPA
- Copyright
- Coronavirus/COVID-19
- Corp Fin
- Corporate Governance
- Corporate Reporting
- Corporate Sustainability
- Corporate Transparency Act (CTA)
- Costco
- Counterfeit Goods
- Counterfeit Goods Seizure Act of 2019
- Court of International Trade
- CPPA
- CPRA
- CPSA
- CPSC
- Crack House Statute
- CRFA
- Crypto
- Cryptocurrency
- CSPA
- Cuba
- Currency
- Customs and Border Protection
- Cyber
- Cyber Coverage
- D&O
- D&O policies
- D. Andrew Quigley
- Damages
- Data Breach
- Davidson
- Deceptive Advertising
- DEI
- Delaware
- Delivery Drivers
- DEP
- Department of Agriculture
- Department of Justice
- Department of Labor
- Development Impact Fee
- Dietary Guidelines
- Digital Assets
- digital currency
- Disclosures
- Discrimination
- Distribution
- Division of Corporation Finance
- Dodd-Frank
- DOJ
- DOL
- Duty to Defend
- Duty to Indemnify
- e-liquid products
- Eddie Bauer
- EEOC
- Electric Vehicles
- Eleventh Circuit
- Emily Burkhardt Vicente
- Employee Rights
- Endorsement
- Endorsement Guides
- Endorsement Notice
- Endorsements
- endorser monitoring requirements
- Enforcement
- Environmental Impact
- Environmental Protection Agency
- Environmental Protection Agency (EPA)
- EPA
- Epidemic
- ESG
- ESG Disclosure
- EU Regulation
- European Union
- European Unitary Patent
- EV Charging
- Exceptions
- Exclusions
- Executive Compensation Disclosure Rules
- Executive Order
- Executive Orders
- Exercise Machines
- Extended Producer Responsibility (EPR)
- FAA
- Fair Labor Standards Act
- Fair Labor Standards Act (FLSA)
- fair use
- False Advertising
- False Advertising Claims
- False Advertising Law
- False Claims Act
- Family Leave Policies
- FAR
- Fashion Accountability Acts
- FCC
- FCRA
- FDA
- Federal Acquisition Regulations
- Federal Arbitration Act (FAA)
- Federal Communications Commission
- Federal Contractors
- Federal Contracts
- Federal District Court
- Federal Government Contractor
- Federal Government Shutdown
- Federal Trade Commission
- Federal Trade Commission (FTC)
- FFDCA
- FIFRA
- Fifth Circuit
- Final Rule
- Financial Technology
- FinCEN
- FinHub
- Fireworks
- First Amendment
- Fixing America’s Surface Transportation (FAST) Act
- Florida
- Florida House of Representatives (HB 963) and Florida Senate (SB 1670)
- Florida Legislature
- FLSA
- FLSA/Wage & Hour
- FMLA
- Food and Beverage Manufacturers
- Food and Drug Administration (FDA)
- Food Delivery
- Food Safety
- Form 10-K
- Formaldehyde Standards for Composite Wood Products Act of 2010
- fractional interests
- Franchise
- Frederic Chang
- Free Trials
- FTC
- FTC Act
- Gavin Newsom
- GDPR
- General Liability
- Geoffrey B. Fehling
- Georgia
- Gift Cards
- GoodRx
- Gramm-Leach-Bliley (GLB) Act
- Green
- Green Guides
- Greenhouse Gas
- Gun Safety
- Hart-Scott-Rodino
- Hart-Scott-Rodino (HSR)
- Hashtag
- Hawaii
- Health Care
- Health Claims
- Hedge Fund
- HIPAA
- hoverboards
- human capital
- Human Rights
- IEEPA
- Illinois
- Illinois Artificial Intelligence Video Interview Act (the Illinois Act)
- Illinois Biometric Information Privacy Act (BIPA)
- Independent Contractors
- Indiana
- Indoor Mall
- Influencer Marketing
- Infringement
- initial public offerings (IPOs)
- Injury
- Insurance
- Insurance Loss
- Insurance Provider
- Intellectual Property
- Intellectual Property Licenses in Bankruptcy Act
- Inter Partes Review
- Interest Rate
- International
- International Trade Commission
- International Trade Commission (ITC)
- Internet
- Inventorship
- investigation
- INVISALIGN
- Iowa
- IP
- IPR
- Ireland
- IT
- ITC
- iTERO
- Job Posting
- Junk Fees
- Katherine Miller
- Kurt A. Powell
- Kurt G. Larkin
- Labeling
- Labeling Requirements
- Labeling Rules
- Labor
- Labor Code Private Attorneys General Act of 2004 (PAGA)
- Labor Organizing
- Labor Unions
- Land Use
- Landlord
- Latin America
- Lautenberg Act
- Lawsuit Reform Alliance of New York (LRANY)
- Lead
- Lease
- Legislation
- Leveraged Loans
- Liability Insurance Policy
- Liberty Insurance Corporation
- Liberty Mutual Fire Insurance Company
- LIBOR Discontinuation
- liquidity
- Litigation
- Live Chat
- Lost Profits
- Lost Sales
- Louisiana
- Luxury Gyms
- M&A
- Made in the USA
- Made in USA
- MagicSleeve
- Magnuson-Moss Warranty Act
- Magnuson-Moss Warranty Act (MMWA)
- Maine
- Malcolm C. Weiss
- Manufacturing
- Marketing
- Marketing Claims
- Maryland
- Massachusetts
- Matthew T. McLellan
- Maya M. Eckstein
- MD&A
- Medtail
- Membership cancellation
- Mergers & Acquisitions
- Metaverse
- MeToo Movement
- Mexico
- Michael J. Mueller
- Michael S. Levine
- microplastics
- Microplastics Litigation
- Minimum Wage
- Minnesota
- Minnesota Pollution Control Agency (MPCA)
- Misclassification
- Mislabeling
- Mission Product Holdings
- Missouri
- Mobile
- Mobile App
- Motoclick
- Multi-Family Housing Development
- Multi-Level Marketing Program (MLM)
- NAA
- NAD
- NASA
- Nasdaq
- National Advertising Division
- National Advertising Division (NAD)
- National Advertising Review Board
- National Labor Relations Act
- National Labor Relations Board
- National Products Inc.
- National Retail Federation
- Natural Disaster
- Nebraska
- Negligence Claims
- Neil K. Gilman
- Network Outage
- Nevada
- New Jersey
- New York
- New York City Department of Consumer and Worker Protection
- New York Department of Financial Services
- NHTSA
- NIL rights
- Ninth Circuit
- NLRA
- NLRB
- no-action request
- Non-Compete
- Non-Exempt
- Non-Exempt Employees
- non-fungible token (NFT)
- North Carolina
- Nutrition Labels
- Obama Administration
- Occupational Safety and Health Administration (OSHA)
- Occurrence
- Office of Labor Standards Enforcement
- Ohio
- Oklahoma
- Online Cash Providers
- Online Retailer
- Online Reviews
- Opinion Letters
- Opioids
- Opt-Out
- Oregon
- Overboarding
- Overtime
- Overtime Exemptions
- Ownership
- Packaging
- PAGA
- Pandemic
- Patent
- Patent Infringement
- Patents
- Paul T. Moura
- Pay Equity
- Pay Ratio
- Pay Transparency
- Pay-To-Play Rankings
- Penalty
- Pennsylvania
- Penny Shortage
- Personal and Advertising Injury
- Personal Data
- Personal Information
- Personally Identifiable Information
- Pesticides
- PFAS
- Physical Loss or Damage
- Policy
- price gouging
- Primary and Umbrella Policies
- Privacy
- Privacy Guidelines
- Privacy Policy
- Privacy Protections
- Procurement
- Product Liability
- Product Packaging
- Prohibition on Sale
- Property Insurance
- Property Rights
- Proposed Legislation
- Proposition 65
- Proxy Access
- proxy materials
- Proxy Statements
- PTAB
- PTO
- Public Companies
- Purdue Pharma
- Randall S. Parks
- Ransomware
- Real Estate
- Recall
- Recalls
- Recording
- Regulation
- Regulation S-K
- Restaurants
- Restrictive Covenants
- Retail
- Retail Developers
- Retail Development
- Retail Industry Leaders Association
- Retail Litigation Center
- Retail Year in Review
- Retaliation
- Rounding
- Rulemaking
- Ryan A. Glasgow
- Sales Tax
- Salesforce
- SD8 coins
- SEC
- SEC Disclosure
- Second Circuit
- Section 337
- Section 365
- Secure and Fair Enforcement Banking Act of 2019 (“SAFE Banking Act”)
- Securities
- Securities and Exchange Commission
- Securities and Exchange Commission (SEC)
- Securities Exchange Commission
- security checks
- Senate
- Senate Data Handling Report
- Sergio F. Oehninger
- Service Contract Act (SCA)
- Service Interruption
- Service Provider
- SHARE
- Shareholder
- Shareholder Proposals
- Sign-In Wrap Agreement
- Slogan
- Smart Contracts
- SNAP
- Social Media
- Social Media Influencers
- Software
- South Carolina
- South Dakota
- Special purpose acquisition companies (SPACs)
- Sponsors and Gifting
- Sponsorship
- State Attorneys General
- State Law
- State Legislation
- Store Closures
- Subscription Services
- Substantiation
- Substantiation Notice
- Supplier
- Supply Chain
- Supply contracts
- Supreme Court
- Sustainability
- Syed S. Ahmad
- Synovia
- Targeted Advertising
- Tariff
- Tax
- TCCWNA
- TCPA
- Technology
- Technology Innovation
- Telemarketing
- Telephone Consumer Protection Act
- Telephone Consumer Protection Act (TCPA)
- Tempnology LLC
- Tenant
- Tennessee
- Terms and Conditions
- Texas
- The Fair Credit Reporting Act (FCRA)
- Third-Party
- Thomas R. Waskom
- Title VII
- Tokenization
- Tokens
- Toxic Chemicals
- Toxic Substances Control Act
- Toxic Substances Control Act (TSCA)
- Trade Dress
- Trademark
- Trademark Infringement
- Trademark Trial and Appeal Board (TTAB)
- TransUnion
- Travel
- Trends
- Trump Administration
- TSCA
- TSCA Title VI
- U.S. Department of Justice
- U.S. Department of Labor
- U.S. Food and Drug Administration
- U.S. House of Representatives
- U.S. Patent and Trademark Office
- Ultra-Processed Foods
- Umbrella Liability
- Unfair and Deceptive Use
- Union
- Union Organizing
- United Specialty Insurance Company
- Unmanned Aircraft
- Unruh Civil Rights Act
- UPSTO
- US Chamber of Commerce
- US Customs and Border Protection (CBP)
- US Environmental Protection Agency (EPA)
- US International Trade Commission (ITC)
- US Origin Claims
- US Patent and Trademark Office
- US Patent and Trademark Office (USPTO)
- US Supreme Court
- USDA
- USPTO
- Utah
- Varidesk
- Vendor
- Vermont
- Virginia
- Volatile Organic Compound (VOC) Emissions
- W. Jeffery Edwards
- Wage and Hour
- Wage-And-Hour
- Walter J. Andrews
- Warning Labels
- Warranties
- Warranty
- Washington
- Washington DC
- WCAG
- Web Accessibility
- Website
- Website Accessibility
- Weight Loss
- Wiretap
- Wiretapping
- World Health Organization (WHO)
- Wyoming
- Year In Review
- Zoning
- Zoning Conversion
- Zoning Ordinances
- Zoning Regulations
Authors
- Gary A. Abelev
- Alexander Abramenko
- Yaniel Abreu
- Christian S. Adams
- Syed S. Ahmad
- Brandon Bell
- Fawaz A. Bham
- Michael J. “Jack” Bisceglia
- Jennifer L. Bloom
- Jeremy S. Boczko
- Brian J. Bosworth
- Shannon S. Broome
- Samuel L. Brown
- Tyler P. Brown
- Melinda Brunger
- Jimmy Bui
- M. Brett Burns
- Olivia G. Bushman
- Daniel J. Butler
- Matthew J. Calvert
- Grant H. Cokeley
- Abigail Contreras
- Eric S. Crusius
- Christopher J. Cunio
- Alexandra B. Cunningham
- Merideth Snow Daly
- Timothy G. Decker
- Katherine P. Deegan
- Andrea DeField
- John J. Delionado
- Stephen P. Demm
- Mayme Donohue
- Christopher J. Dufek
- Robert T. Dumbacher
- M. Kaylan Dunn
- Chloe Dupre
- Frederick R. Eames
- Maya M. Eckstein
- Rob Edwards
- Tara L. Elgie
- Clare Ellis
- Latosha M. Ellis
- Juan C. Enjamio
- Kelly L. Faglioni
- Ozzie A. Farres
- Geoffrey B. Fehling
- Jason Feingertz
- Hannah Flint
- Erin F. Fonté
- Kevin E. Gaunt
- Jane M. Geiger
- Andrew G. Geyer
- Armin Ghiam
- Neil K. Gilman
- Ryan A. Glasgow
- Tonya M. Gray
- Elisabeth R. Gunther
- Steven M. Haas
- Kevin Hahm
- Jason W. Harbour
- Jeffrey L. Harvey
- Christopher W. Hasbrouck
- Eileen Henderson
- Gregory G. Hesse
- Kirk A. Hornbeck
- Mark Ingram
- Jamie Zysk Isani
- Nicole R. Johnson
- Roland M. Juarez
- James A. Kennedy, II
- Suzan Kern
- Jason J. Kim
- Scott H. Kimpel
- Elizabeth King
- Andrew S. Koelz
- Leslie W. Kostyshak
- P. Reiko Koyama
- Kurt G. Larkin
- Tyler S. Laughinghouse
- Gerry Leone
- Michael S. Levine
- Ashley Lewis
- Abigail M. Lyle
- Maeve Malik
- Eric R. Markus
- John Gary Maynard, III
- Aubrianna L. Mierow
- Gray Moeller
- Reilly C. Moore
- Michael D. Morfey
- Ann Marie Mortimer
- Michael J. Mueller
- J. Drei Munar
- Matthew Nigriny
- Michael A. Oakes
- Justin F. Paget
- Randall S. Parks
- J. Steven Patterson
- Katherine C. Pickens
- Gregory L. Porter
- Robert T. Quackenboss
- D. Andrew Quigley
- Michael Reed
- Jonathan D. Reichman
- Kelli Regan Rice
- Patrick L. Robson
- Amber M. Rogers
- Natalia San Juan
- Arthur E. Schmalz
- Daniel G. Shanley
- Madison W. Sherrill
- Kevin V. Small
- J.R. Smith
- Bennett Sooy
- Brian T. Stansbury
- Daniel Stefany
- Hak Stepanyan
- Javaneh S. Tarter
- Shauna R. Twohig
- Paige Van Oosten
- Jessica N. Vara
- Emily Burkhardt Vicente
- Mark R. Vowell
- Gregory R. Wall
- Thomas R. Waskom
- Malcolm C. Weiss
- Holly H. Williamson
- Samuel Wolff
- Jingyi “Alice” Yao
- Jessica G. Yeshman