Data Privacy: NYAG Sanctions Accounting Firm for Data Breaches

Last month, the NYAG announced a settlement with a public accounting firm arising out of the firm’s alleged failure to adequately safeguard its clients’ information in connection with two cybersecurity incidents that cumulatively exposed the private information of over 6,000 persons.  This excerpt from the AG’s press release summarizes the factual basis for its allegations:

Wojeski is a certified public accounting firm. On July 28, 2023, Wojeski employees realized they were experiencing a ransomware attack when they were unable to access certain files in their systems. After containing the threat and launching an investigation, Wojeski found that the cyberattack was likely caused by a phishing email sent to one of their employees. The investigation also found that customers’ social security numbers were not encrypted in parts of the company’s network. On May 31, 2024, Wojeski was notified of another data breach when an employee from a firm hired to help with the investigation improperly accessed customer data located in the files that Wojeski had sent for review. The employees were also sending the information to several external email addresses without authorization.

Wojeski did not notify customers of either security breach until November 2024, a year and a half after their clients’ personal data was first jeopardized. Personal data exposed in one or both incidents included names, dates of birth, social security numbers, drivers’ license numbers, email addresses, phone numbers, financial account numbers, medical benefits, and entitlement information. The 2023 data breach affected 5,881 individuals, 4,726 of whom were New York residents, and the 2024 breach affected a total of 351 individuals, 267 of whom were New York residents. Following the data breaches, Wojeski offered impacted individuals free credit monitoring.

The settlement obligates the firm to pay $60,000 in penalties and to take a variety of actions designed to implement more stringent security standards with respect to its clients’ personal information. This excerpt from a Dechert blog on the proceeding says that the NYAG’s action was unduly harsh:

This matter and its characterization as “two breaches” appears unfair and harkens back to the old regulator mentality of “blame the victim,” which had appeared to be receding. The Wojeski settlement signals an unforgiving posture toward victims of criminal acts. So long as the forensics firm that investigated the breach was reputable and had good cyber hygiene (as most do), it is unclear why Wojeski would be tagged for that breach as well. It is also unclear what steps Wojeski could have taken to “prevent” the subsequent vendor breach.

The blog says that the action does make it very clear that companies need good cyber controls not just to avoid cyber threats, but also protect themselves from regulators with 20/20 hindsight and a strict liability mindset.