On April 30, the New York State Department of Financial Services (“NYDFS” or the “Department”) announced a $2.25 million settlement with Delta Dental Insurance Company and Delta Dental of New York, Inc. (an accident and health insurer and non-profit dental expense indemnity, respectively) (collectively, “Delta Dental” or the “Company”) for alleged violations of NYDFS’s cybersecurity regulation (23 New York Codes, Rules and Regulations (“NYCRR”) Part 500, also known as the “Part 500 Regulation”).  

This enforcement action stemmed from a vulnerability identified in the popular file transfer solution MOVEit Transfer (maintained by Progress Software) a few years ago. In May 2023, the CL0P Ransomware Gang began exploiting this zero-day vulnerability, which allowed the group to exfiltrate data from MOVEit Transfer databases. Delta Dental was among the many companies that used MOVEit Transfer (in Delta Dental’s case, to “facilitate the transfer of files among their affiliates’ customers, business partners, medical professionals, and employees”). 

As we discuss in greater detail below, this enforcement action highlights the importance of organizations engaging in proactive incident reporting and maintaining robust data retention and incident response policies. The enforcement action is also notable with respect to the entity targeted—despite the cybersecurity event originating with a vendor product (Progress Software’s MOVEit Transfer), Delta Dental, a Progress Software customer, was subject to the NYDFS enforcement action, in contrast to the more-common situation where only the impacted vendor faces enforcement activity.

Below, we summarize the consent order between NYDFS and Delta Dental and discuss key takeaways for companies looking to strengthen their cybersecurity compliance programs. To stay up to date on the latest developments in cybersecurity regulatory enforcement, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

Summary of the Consent Order

According to the consent order between NYDFS and Delta Dental, Delta Dental learned on June 1, 2023 of suspicious activity on its network related to MOVEit Transfer and discovered a “webshell” on the MOVEit Transfer servers related to the zero-day vulnerability that Progress Software had publicized earlier that day. In response, Delta Dental “stopped access to MOVEit Transfer, removed the malicious files, conducted an analysis of the MOVEit Transfer database, deployed all patches and security updates provided by Progress to remediate the vulnerability, and reset administrative passwords to MOVEit Transfer.”

After several weeks of investigation, the Company discovered evidence on July 6, 2023 that threat actors had exploited the vulnerability and exfiltrated files from its MOVEit Transfer solution between May 28 and May 30, 2023. The Company conducted a forensic review that concluded on November 27, 2023 with the finding that threat actors had exploited the MOVEit Transfer vulnerability to exfiltrate “approximately 60,000 files,” including “insureds’ names, addresses, social security numbers, driver’s license and other state identification numbers, passport numbers, financial account information, tax identification numbers, health insurance policy numbers, and patient health information.” The Company did not notify NYDFS of this cybersecurity incident, however, until December 15, 2023, and completed notice to affected consumers by March 2024.

In the consent order, NYDFS argued that Delta Dental had violated the Part 500 Regulation in several respects. First, the Department found Delta Dental’s data retention policies deficient, noting that the company had “extended the retention setting to 45 or 60 days for many folders [in its MOVEit Transfer database] and, in some instances, disabled folders’ retention settings entirely,” while at the same time failing to maintain any “written policy or procedure for requesting, reviewing, or approving such changes to folder retention settings.” Second, the Department found that Delta Dental failed to maintain and implement a written incident response policy, noting, in particular, the lack of a “written incident response plan that sufficiently addressed [the Company’s] reporting obligations to regulators.” Finally, the Department found that Delta Dental had failed to provide it with timely notice of the cybersecurity incident (i.e., within 72 hours of discovery), as required under Part 500.

The consent order requires Delta Dental to pay a $2.25 million civil penalty to NYDFS. Notably, the consent order also prohibits Delta Dental from applying for a tax credit or tax deduction in relation to the penalty, as well as from seeking reimbursement or indemnification for the penalty through an insurance policy. The agreement does not impose any other injunctive relief or corrective action requirements on Delta Dental.

Key Takeaways

The Delta Dental enforcement action highlights the importance of proactive incident reporting and robust data retention and incident response policies. While these considerations are particularly relevant for companies regulated by NYDFS, they also generally highlight best practices that can be applied by companies operating in other regulatory contexts as well.

1. Some Regulators Still Expect Notice Even if Forensic Review is Ongoing. This enforcement action makes clear that NYDFS takes its cybersecurity event reporting requirement—which requires the reporting of cybersecurity incidents to the Department within 72 hours of discovery—seriously. Here, Delta Dental was aware by July 2023 that threat actors had exfiltrated files from its MOVEit Transfer database (and was aware as early as June 2023 that the vulnerability had affected its environment), but declined to notify NYDFS until December 2023, after the completion of its forensic review. With this enforcement action, NYDFS makes abundantly clear that it views that type of delayed notification as insufficient—instead, what the consent order suggests is that companies should seek to notify the Department promptly after discovery of a cybersecurity incident, even if the company’s forensic investigation remains in-progress. Though this lesson is most applicable to entities subject to the Part 500 Regulation, it is also relevant for companies considering their reporting obligations under other legal frameworks (e.g., state data breach notification laws), as well. 
2. NYDFS Assesses for Robust Data Retention Policies. Notably, the consent order’s discussion of Delta Dental’s data retention practices went beyond a general assessment of Delta Dental’s data retention periods to primarily focus on the fact that the Company had no written policies governing changes to MOVEit Transfer’s default retention settings. In other words, the consent order should not be read to suggest that companies should not retain data for longer than 30 days; rather, it indicates the need for companies to develop robust policies that delineate how long different types of data can be retained, and how the company manages departures from those baselines.
3. Incident Response Plans Should Be Detailed and Address Reporting Obligations. The consent order largely lays Delta Dental’s alleged reporting failures at the feet of the Company’s incident response policies and procedures, which the Department contends “lacked sufficient detail and guidance concerning the Companies’ regulatory reporting obligations, including their reporting obligations to [NYDFS].” This highlights the need for companies to understand who their regulators are, identify which of those regulators must be notified in the event of a cybersecurity incident, and ensure that those requirements are reflected in the companies’ incident response plans.