惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

aimingoo的专栏
aimingoo的专栏
V
V2EX
G
Google Developers Blog
F
Full Disclosure
Martin Fowler
Martin Fowler
宝玉的分享
宝玉的分享
H
Hacker News: Front Page
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
NISL@THU
NISL@THU
G
GRAHAM CLULEY
V
Vulnerabilities – Threatpost
Hacker News - Newest:
Hacker News - Newest: "LLM"
A
About on SuperTechFans
The Cloudflare Blog
C
Cisco Blogs
D
DataBreaches.Net
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Vercel News
Vercel News
P
Privacy International News Feed
Microsoft Security Blog
Microsoft Security Blog
Help Net Security
Help Net Security
Recorded Future
Recorded Future
PCI Perspectives
PCI Perspectives
S
Schneier on Security
AI
AI
N
News | PayPal Newsroom
雷峰网
雷峰网
C
Cyber Attacks, Cyber Crime and Cyber Security
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
L
LINUX DO - 最新话题
Hugging Face - Blog
Hugging Face - Blog
Apple Machine Learning Research
Apple Machine Learning Research
Schneier on Security
Schneier on Security
S
Securelist
云风的 BLOG
云风的 BLOG
Stack Overflow Blog
Stack Overflow Blog
博客园_首页
AWS News Blog
AWS News Blog
TaoSecurity Blog
TaoSecurity Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园 - 三生石上(FineUI控件)
C
CXSECURITY Database RSS Feed - CXSecurity.com
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Cloudbric
Cloudbric
C
Cybersecurity and Infrastructure Security Agency CISA
Project Zero
Project Zero
C
Check Point Blog
S
Security Affairs

Privacy & Cybersecurity Law Blog

New Hampshire Amends the NHDPA to Prohibit the Sale of Children’s Personal Data Canada’s Proposed Social Media Ban for Children and Chatbot Regulation: Bill C-34’s Impact on Platforms European Commission Unveils Cybersecurity and AI Action Plan European Commission Refers Four Member States to CJEU Over NIS2 Transposition Delays EDPB Opens Public Consultation on New Personal Data Breach Notification Template European Commission Advances New Proposal to Expand Cloud Capacity and AI Infrastructure U.S. Supreme Court FTC Ruling Prompts Fresh Scrutiny of EU-U.S. Data Privacy Framework China Issues New Measures for Network Data Security Risk Assessment China Issues Regulations on Internet Content Multi-Channel Network Distribution Services China’s First Regulatory Framework for Virtual Companions Soon to Take Effect UK Data Protection Complaints Obligations Take Effect Vermont Enacts Significant Amendments to Data Broker Legislation Vermont Becomes 23rd State with Comprehensive Consumer Privacy Law Louisiana Enacts Comprehensive Consumer Privacy Law Connecticut Signs Comprehensive AI Bill into Law China CAC Issues Guidance on Conducting Audits Technology Companies Should Prepare for FTC Enforcement of Take It Down Act HHS Reorganizes Office for Civil Rights Oregon Prohibition on Public Body Disclosures to Data Brokers for Federal Immigration Purposes Now In Effect Connecticut Privacy Law Updates: Data Broker Rules, Geolocation Sale Ban, Surveillance Pricing Restrictions, and Genetic Data Regulations NYDFS Warns of Cybersecurity Risks from Frontier AI Models UK and Australia Announce Memorandum of Understanding on AI Security FTC Announces Settlements With Three Marketing Firms Over Allegations of Deceptive Statements About Active Listening AI-Powered Services Cybersecurity Authorities Issue Joint Guidance on the Adoption of Agentic AI Systems Colorado AI Act Amended and Effective Date Delayed European Commission Releases Draft Guidelines on High-Risk AI Under the EU AI Act Texas AG Announces Lawsuit Against Netflix for Alleged Misrepresentations Regarding User Data UK ICO Recommends Targeted Changes to PECR Rules for Online Advertising California AG Announces Record $12.75M Settlement with GM over CCPA Data Minimization and Purpose Limitation Violations Illinois Department of Human Rights Issues Regulations Governing the Use of AI in Employment Decisions Maryland Enacts First-of-its-Kind Ban on Surveillance Pricing for Grocery Sales UK ICO Publishes Guidance on Storage and Access Technologies CIPL Report Discusses Significant Alignment between GDPR and Global CBPR CalPrivacy Announces the Agenda for its April 30–May 1 Board Meeting CalPrivacy Requests Preliminary Comments on Notices & Disclosures, Employee Data COPPA Rule Amendment Compliance Deadline Approaches House Republicans Introduce Comprehensive Federal Privacy Bill: “SECURE Data Act” Kentucky Classifies Smart TV Data as Sensitive Alabama Becomes 21st State With Comprehensive Consumer Privacy Law CalPrivacy Director Expects CCPA Compliance Audits in 2026 Virginia Bans Sale of Geolocation Data HHS’ Office for Civil Rights Settles HIPAA Investigation of Health Care Software Company New Jersey Enacts New Restrictions on Health Care Facilities’ Use of Patient Data Washington State Enacts Law Regulating AI Companion Chatbots with Private Right of Action Guardrails for Legal AI: What California’s SB 574 Would Require of Attorneys and Arbitrators
Delta Dental Agrees to $2.25 Million Settlement with NYDFS Over MOVEit Data Breach Response
2026-05-08 · via Privacy & Cybersecurity Law Blog

Delta Dental Agrees to $2.25 Million Settlement with NYDFS Over MOVEit Data Breach Response

On April 30, 2026, the New York State Department of Financial Services (NYDFS) announced a $2.25 million settlement with Delta Dental Insurance Company, a licensed health insurer, and Delta Dental of New York, Inc., a licensed non-profit dental expense indemnity (together, “Delta Dental”), for violations of NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500).

The settlement follows NYDFS’s investigation into Delta Dental’s response to a 2023 cybersecurity incident that exploited a zero-day vulnerability in Progress Software’s MOVEit file transfer tool. Delta Dental reported that the unauthorized access to its MOVEit tool resulted in the theft of approximately 60,000 files containing patient information, such as names, addresses, Social Security numbers, government-issued identification numbers, financial account information, tax identification numbers, health insurance policy numbers and patient health information.

NYDFS alleged that Delta Dental’s “inadequate incident response policies and procedures allowed threat actors to exploit vulnerabilities to obtain unauthorized access to New Yorkers' personal information.” Specifically, NYDFS alleged that Delta Dental violated the Cybersecurity Regulation as follows:

  • Failure to Limit Data Retention: Delta Dental failed to implement data retention settings, policies, procedures, and controls designed to protect consumer data and the company’s IT systems. For example, Delta Dental lengthened its IT systems’ default retention settings and stored the exfiltrated files for longer than 30 days.
  • Delayed Notice to NYDFS: Despite becoming aware of the incident in June 2023 and determining consumer data was affected in July 2023, Delta Dental did not notify NYDFS of the incident until December 15, 2023. (The Cybersecurity Regulation requires covered entities to notify NYDFS within 72 hours of discovery of an incident.)
  • Lacked Incident Response Policies: NYDFS found that Delta Dental failed to implement and maintain a written policy addressing incident response, including a plan that sufficiently addressed the company’s reporting obligations to regulators.

NYDFS’s consent order was limited to a monetary penalty, with no further action taken by the regulator against Delta Dental.