Following a phishing scam that compromised an employee email account, the company failed to conduct an adequate investigation (i.e., to determine whether the mailbox contained private consumer data at the time of the compromise), and notify the breach to impacted customers and the Superintendent of Financial Services (the breach was notified 18 months later following a regulatory exam by the DFS); the company must implement an incident response plan and conduct a risk assessment of its information systems.
Related Posts
New York Introduces Stricter Social Media Privacy Laws for Children
New York has enacted stringent legislation aimed at enhancing social media privacy protections for children. The new law…
New York-Presbyterian Settles Pixel Tracking Case, Exposing Weakness in Data Sharing Practices
In a significant development, New York-Presbyterian Hospital has agreed to pay a $300,000 settlement to resolve a case…
New York Law Firm Fined $200,000 After Not Protecting Data
A New York law firm has been fined $200,000 for failing to protect the protected health information of New Yorkers.