720-891-1663

Alerts

N.Y. Explains That You Need to Report Breaches

Leave a comment

An insurance company licensed to do business in New York learned the hard way that the state is serious about breach reporting.

Delta Dental discovered that the state (NY DFS) didn’t think their breach reporting plan was adequate. DFS also said that their preventative measures were “deficient”.

And it only cost Delta $2.25 million. They settled after Delta’s policies and procedures failed to satisfy the state’s regulations. DFS requires that you report a breach within 72 hours.

Among the issues that the regulators sited them for were:

  • No set policies for the periodic and secure disposal of non-public information that is no longer needed for business operations or other legitimate business purposes.
  • No written or implement incident response policy
  • Didn’t maintain an incident response plan that sufficiently addressed their reporting obligations to regulators

The company cooperated with the state which likely is the reason the fine was only $2 million.

According to the law firm Fisher Phillips, here are four things you can do to not wind up paying a $2 million fine.

  1. Audit your incident response plan. Make sure the plan is updated to match whatever your current regulatory environment and insurance carrier requires.
  2. If you are part of a regulated industry, communicate with your regulator. They often put out advisories and notices. DFS is particularly good about that.
  3. Track regulatory developments. Rules change frequently and the pace is likely to continue to speed up. States like New York and California are particularly active when it comes to regulations. Remember it doesn’t matter where your office is located; what matters is where your users are located.
  4. Follow the reporting requirements. The regulators are getting more aggressive. Reporting windows of 72 hours or 24 hours are getting more common. CISA just put out a regulation (a BOD) for federal agencies requires actions to occur in as little as 2 hours.

If you have questions, contact us or your attorney. Or both. Credit: Fisher Phillips

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 CyberCecurity, All rights reserved. Privacy Policy