NY Regulator Warns Of 'Widespread' Data Breach Campaign

By Al Barbarino
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Cybersecurity & Privacy newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (February 16, 2021, 9:14 PM EST) -- The New York State Department of Financial Services urged insurers Tuesday to secure customers' non-public data and to report any potential data breaches, warning that it is monitoring a "widespread cybercrime campaign" criminals are using to hack data and use it to illegally obtain funding reserved for COVID-19 relief.

The regulator received reports from several regulated entities of "successful or attempted data theft" from websites providing instant rate quotes, such as those seen on car insurance websites, and said perpetrators are using the information to fraudulently apply for pandemic-related and unemployment benefits.

"Cyber criminals are creative and tenacious, and continue to look for new ways to exploit us during an already vulnerable time," said Linda A. Lacewell, superintendent of DFS, in a statement. "DFS expects the industry to protect consumer data by addressing cybersecurity risks in everything they do."

"DFS reminds its regulated entities to immediately report to DFS theft of consumers' [non-public information], pursuant to its cybersecurity regulation," the regulator added, noting in the alert that insurers should file the reports "within 72 hours at the latest."

DFS said that, last month, it alerted roughly a dozen regulated entities who host auto quote websites that they were likely being targeted by hackers looking to gain access to New Yorkers' data, specifically their driver's license numbers. Six insurers since then reported attempted hacks, with four of those reporting that the hacks resulted in actual breaches of customer data, DFS said.

"This activity appears to be part of an overall increase in efforts to steal [non-public information], driven in part by increased fraud activity during the pandemic," according to the alert. "Since the COVID-19 pandemic started, the U.S. has seen an unprecedented surge in benefits fraud."

Heather D. McArn, former chief of staff and special counsel at DFS prior to joining Hinshaw & Culbertson LLP as partner in 2019, told Law360 that the agency's ability to effectively track data breaches is thanks in part to the "reach and depth" of March 1, 2017's Part 500 regulation.

The rules, implemented over a subsequent two-year period, required stricter reporting requirements on companies, including having to report data breaches within 72 hours. 

"It's mandated monitoring, logging and early reporting of incidents, whether successful or not, provides DFS with a meaningful early alert so that they can assess and disseminate helpful warnings and instructions like these to protect the organization and the wider financial services industry," McArn said. 

"Privacy fraud is growing and superpowered by cyber criminals, meaning that organizations, their systems and their connections to consumers have to be constantly monitored and bolstered," she added.

In addition to car insurance, criminals are targeting a broad range of public-facing websites that utilize instant quotes, the regulator said in Tuesday's alert. The alert noted that hackers had even found a way to steal information that had been fully redacted. 

The regulator urged insurers to track data analytics and website traffic metrics for spikes in quote requests, especially those that terminate as soon as non-public information is revealed, and to monitor servers for evidence of unauthorized access to data.

DFS also asked insurers to ensure web security controls are in place to block the IP addresses of suspected unauthorized users and to consider reinstating quote limits per user session, among other safety measures. 

On Feb. 4, the department advised insurers to develop a "rigorous and data driven approach to cyber risk," offering a new framework to do so while warning that failures to carefully assess client risks could backfire.

The new "cyber insurance risk framework," which included details on setting up a risk strategy, urges insurers to recruit employees with cybersecurity expertise and to include requirements in cyber insurance policies that victims notify law enforcement.

--Editing by Michael Watanabe.

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!