Compliance chaos: NY regulators see a data breach — then focus on IT errors

The age-old IT defense when compliance violations are investigated by regulators is to try and keep a low profile — and hope no one looks too closely. But with enhanced SEC interest in all data breaches encouraging regulators around the globe to take those closer looks at IT, data breach disclosure rules are becoming more strict.

While that might be unsettling for cybersecurity executives, it is also disturbing news for IT admins, who could find themselves under a remarkably uncomfortable spotlight.

Consider this recent move by the New York State Department of Financial Services against the Delta Dental Insurance Company. State officials hit the insurance company for improper and inconsistent enforcement of its own data retention policies; improper incident response plan protocols; and improper notification of the security incident itself.

The company was fined more than $2 million.

The data retention violations are perhaps the most problematic. Had that policy been enforced properly, much of the stolen data would have been destroyed long before the attackers could have accessed it.