The New York State Department of Financial Services recently announced that it has entered into a consent order with PayPal, Inc. for violations of the NYDFS Cybersecurity Regulation. The consent order, under which PayPal has agreed to pay a $2 million penalty, comes after an NYDFS investigation into a 2022 cybersecurity incident that led to the exposure of sensitive customer information on PayPal’s platform. NYDFS determined that incident arose after PayPal failed to implement required policies and procedures, to use and train qualified personnel, and to use “effective controls” to protect against unauthorized access to sensitive information.
We previously wrote about amendments to the NYDFS Cybersecurity Regulation that were finalized in 2023. Those amendments imposed new and expanded requirements for cybersecurity program implementation and governance with various deadlines, some of which take effect on May 1 and November 1 of this year. While the PayPal consent order relies on the Cybersecurity Regulation as it stood before those 2023 amendments, it serves as a useful reminder of what has changed—and what hasn’t—with some final implementation deadlines still on the horizon.
This post explores the PayPal consent order and its implications for companies subject to the NYDFS Cybersecurity Regulation.
The 2022 security incident: a failure to communicate
According to the consent order, the trouble arose when PayPal made changes to its data collection flows as part of an initiative to expand the accessibility of IRS Form 1099-Ks. NYDFS found that, because PayPal failed to train the engineering team responsible for implementing the changes, the engineering team failed to effectively implement PayPal’s policies and procedures, including its policies on access controls and customer data privacy. After a PayPal security analyst found a post online explaining how users could access PayPal customers’ Social Security numbers, a PayPal investigation determined those changes resulted in the exposure of unmasked personal information in customers’ Form 1099-Ks. Unauthorized actors were then able to launch credential stuffing attacks on PayPal’s platform to obtain access to information in the Form 1099-Ks, which contained customers’ names, Social Security numbers, and dates of birth.
Actions speak louder than (written) words
Although the Cybersecurity Regulation requires covered entities to implement and maintain written policies and procedures to protect information systems and the nonpublic information they contain, missing policies weren’t the biggest issue in the PayPal consent order. Indeed, NYDFS cited to multiple relevant policies and procedures PayPal already had in place, including those for change management, user authentication, and access controls. The problem, according to the consent order, was that PayPal failed “to ensure the proper implementation of its cybersecurity policies and procedures.”
The PayPal consent order thus serves as an important reminder that the written policies and procedures required by the Cybersecurity Regulation (including the more expansive requirements under the 2023 amendments) don’t amount to much without effective implementation in the real world. In other words, NYDFS Regulators will want to see that policies and procedures required by the Regulation have been implemented in practice, as well as on paper.
It’s all about the people
Another key finding in the consent order related to PayPal’s personnel: NYDFS found that PayPal both failed to (1) use qualified cybersecurity personnel to perform and oversee the performance of core cybersecurity functions, and (2) provide its personnel with sufficient training to address relevant cybersecurity risks.
Entities subject to the Cybersecurity Regulation should therefore prioritize training and awareness, including and especially with respect to personnel performing core cybersecurity functions. Under the 2023 amendments, security and awareness training is a mandatory component in covered entities’ policies and procedures. Since April 29, 2024, that training is required to be completed annually and must include training on social engineering. And since November 1, 2024, covered entities have also been required to train all employees responsible for implementing the entity’s incident response and business continuity and disaster recovery plans.
We expect to continue to see training as a theme in NYDFS enforcement, both for its role as an important component in implementing a cybersecurity program and a necessary element to comply with the expanded requirements under the 2023 amendments.
Access controls are here again
Access controls in general, and multi-factor authentication (“MFA”) in particular, have been front and center in regulatory enforcement and rulemaking over the last several years, and the PayPal consent order is no exception. To that end, NYDFS found that PayPal failed to “use effective controls” to protect against unauthorized access to nonpublic information as required by the Cybersecurity Regulation.
While the Cybersecurity Regulation for now still requires that a covered entity uses “effective controls,” beginning November 1, 2025, MFA will become a required component of a covered entity’s cybersecurity toolkit, unless the entity’s CISO has approved in writing the use of reasonably equivalent or more secure compensating controls. Additionally, starting May 1, the Cybersecurity Regulation will also impose enhanced requirements for access privileges, remote device protocols, password policies, and access management.
At the risk of stating the obvious, covered entities should therefore focus on effective implementation of access controls for nonpublic information.
Prompt reporting and remediation are important, but not cure-alls
In the consent order NYDFS acknowledged PayPal’s cooperation in the investigation as “commendable,” and also “recognize[d] and credit[ed]” PayPal’s remediation efforts “beginning immediately” upon discovering the vulnerability. NYDFS then cataloged those efforts, including that PayPal promptly masked sensitive information in the exposed Form 1099-Ks, implemented CAPTCHA and MFA for account logins, updated its policies, provided training to the engineering team that implemented the change that led to the incident, and improved its monitoring and change management capabilities.
Despite the generally positive tone of that assessment, however, NYDFS still chose to impose a $2 million penalty. The case thus serves as a costly reminder that while prompt response and remediation efforts are important, they cannot fully compensate for the compliance failures that lead to an incident.
