The New York State Department of Financial Services has declared that PayPal will pay $2M in a settlement over charges that it failed to comply with state cybersecurity regulations. The organizations failure to comply with regulations led to a data breach in 2022, which may have compromised data such as:
- Names
- Birth dates
- Addresses
- Individual tax identification numbers
- Social Security Numbers
The breach occurred due to a mishandled alteration to Form 1099-K data collection and flows. This was determined to be the result of inadequately trained engineering staff.
Dr. Ilia Kolochenko, CEO at ImmuniWeb and an Adjunct Professor of Cybersecurity at Capitol Technology University in Maryland, comments, “The NY DFS Cybersecurity Regulation (23 NYCRR Part 500) is probably one of the most detailed U.S. state-level regulations related to cybersecurity and data protection, resembling to EU DORA by its comprehensive nature.
“This penalty is a clear reminder that cybersecurity is insufficient even if you implement all technical controls by implementing pricey solutions from the leading vendors, but fail to properly organize an ongoing and organization-wide training. All entities cover by the Regulation should also consider reviewing the October 2024’s Industry Letter by the DFS on the emerging cybersecurity and privacy risks created by GenAI.
“In 2025, we may see some nice surprises with the President Trump administration, like the long-awaited federal data protection and privacy law that may replace the convoluted patchwork of the state laws, terrifically simplifying compliance.”
