EyeMed fined $4.5M over cybersecurity lapses that led to breach | Article

EyeMed Vision Care agreed to pay a penalty of $4.5 million as part of a settlement with the New York State Department of Financial Services (NYDFS) for cybersecurity control failures that helped enable a 2020 data breach.

EyeMed did not have proper controls in place when a bad actor gained access to a shared email inbox containing more than six years’ worth of personal information from customers, including minors, the NYDFS alleged. As a result, the company violated the regulator’s cybersecurity regulations, including through its attestations that it was in compliance with the requirements.

“It is critically important that consumers’ non-public information is kept safe from potential criminal activity,” said NYDFS Superintendent Adrienne Harris in a press release Tuesday. “… This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.”