EyeMed recently entered into a settlement with the Attorneys General of Oregon, New Jersey, Florida and Pennsylvania around a 2020 breach of an EyeMed email account that contained the data of more than 2 million individuals. As we previously reported, EyeMed entered into settlement with NYDFS over this breach in October of 2022. 

EyeMed has agreed to pay $2.5 million as a part of this new settlement as well as implement an information security program with requirements around the following areas: (1) data collection and retention; (2) cyber security operations center; (3) logging and monitoring; (4) email filtering and phishing solution; (5) access controls; (6) authentication; (7) asset inventory; (8) data loss/exfiltration prevention; (9) encryption; (10) data deletion; (11) risk assessments; and (12) information security program assessment. For two years after the settlement, EyeMed must provide the Attorneys General a certification of compliance as well as additional documents requested to demonstrate compliance.

Putting it Into Practice: In addition to monetary settlements, in the aftermath of a breach, regulators are focusing on the security in place at the time of the breach. This is a reminder that companies should regularly assess their information security program to ensure it is appropriately designed to protect the security, integrity, and confidentiality of the companies’ data.