What a $2.25M NY Cybersecurity Settlement Means for Businesses: Your 4-Step Action Plan | Fisher Phillips

Staff Editor 2026-06-10
What a .25M NY Cybersecurity Settlement Means for Businesses: Your 4-Step Action Plan | Fisher Phillips

What a $2.25M NY Cybersecurity Settlement Means for Businesses: Your 4-Step Action Plan | Fisher Phillips

https://www.jdsupra.com/legalnews/what-a-2-25m-ny-cybersecurity-5145998/

Publish Date: 2026-06-10 14:30:00

Source Domain: www.jdsupra.com

A recent $2.25 million settlement between an insurance company and the state of New York presents a cautionary tale for businesses in the Empire State. The New York State Department of Financial Services (NYDFS) found that the company’s incident response plan was inadequate and allowed threat actors to access New Yorkers’ personal information. Settlements between state cyber regulators and impacted organizations are often the result of the organizations’ missteps following a breach. In this case, NYDFS not only found that the company failed to meet reporting requirements following a cyber incident, but also that its preventative measures were deficient. Here’s why that’s important and what your organization should do to avoid similar sanctions.

The Significance of the Settlement

The insurance company agreed to settle the state’s claims after an NYDFS investigation concluded that the insurance company’s preventative cybersecurity policies and practices that were in place before the breach failed to satisfy the state’s regulatory threshold. The state also found that the company failed to report the breach to officials in a timely manner. NY’s Cybersecurity Regulation requires covered entities to notify regulators of a cybersecurity incident “promptly” and no later than 72 hours after a determination that a reportable event has occurred.

Specifically, the state said the insurance company’s cybersecurity posture did not meet requirements related to retention settings, controls, procedures, and policies that exist to protect the information systems and consumer data of regulated financial institutions, according to the April 30 settlement.

Key issues identified by investigators:

  • No set policies or procedures for the periodic and secure disposal of non-public information that is no longer necessary for business operations or for other legitimate business purposes.
  • No written or implemented policy addressing incident…

Source

More Stories

Our drinking water systems are more connected than ever, and more exposed to risks

Our drinking water systems are more connected than ever, and more exposed to risks

Staff Editor 2026-06-10
Europe moves to secure sovereign cybersecurity and chips

Europe moves to secure sovereign cybersecurity and chips

Staff Editor 2026-06-10
Carnival (CCL) slides as investors weigh newly disclosed cybersecurity fallout and a risk-off tape ahead of key macro data

Carnival (CCL) slides as investors weigh newly disclosed cybersecurity fallout and a risk-off tape ahead of key macro data

Staff Editor 2026-06-10

Terms and Conditions - Privacy Policy