Acting Superintendent Kaitlin Asrow Secures $2.25 Million Cybersecurity Settlement with Delta Dental

New York State Department of Financial Services Acting Superintendent Kaitlin Asrow today announced that Delta Dental Insurance Company (DDIC) and Delta Dental of New York, Inc. (DDNY) will pay a $2.25 million penalty for violations of the Department's cybersecurity regulation (23 NYCRR Part 500). An investigation determined that the companies' inadequate incident response policies and procedures allowed threat actors to exploit vulnerabilities to obtain unauthorized access to New Yorker's personal information.

"The Department's nation-leading cybersecurity regulation requires financial institutions to have robust policies in place to protect the personal information of New Yorkers," said Acting Superintendent Asrow. "As cybersecurity threats continue to grow, the Department is committed to holding institutions accountable."

DDIC is a licensed accident and health insurer and DDNY is a licensed non-profit dental expense indemnity. Both companies use MOVEit Transfer servers to facilitate the transfer of files among their affiliates' customers, business partners, medical professionals, and employees. On June 2, 2023, the Department alerted regulated entities of this vulnerability and its remediation in an industry guidance letter. DDIC and DDNY subsequently determined that threat actors had exploited this vulnerability to obtain unauthorized access to their MOVEit Transfer servers and exfiltrated a significant volume of files containing consumer non-public information, including names, addresses, social security numbers, driver's license numbers, financial account information, and patient health information. The companies notified all affected consumers by March 2024.

The Department's investigation found that the cybersecurity program used by the companies did not comply with DFS's cybersecurity regulation, which requires them to implement retention settings, policies, procedures, and controls designed to protect consumer data and the information systems of the financial institutions themselves. In addition to the failures described above, DDIC and DDNY failed to timely report their respective cybersecurity events. This notice requirement is a critical safeguard that enables the Department to carry out its responsibility to protect consumers.

DFS's cybersecurity regulation became effective in March 2017, with an updated amendment effective as of November 2023 designed to enhance cyber governance, mitigate risks, and strengthen protections for New York businesses and consumers against cyber threats. It has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors Nonbank Model Data Security Law. 

Read the Delta Dental consent order on the Department's website. 

###