New York State has agreed a $2m settlement with PayPal. The regulator charged PayPal with a failure to comply with the state’s cybersecurity regulations. In turn, this led to a 2022 data breach.
Specifically, an investigation determined PayPal failed to use qualified personnel to manage key cybersecurity functions and failed to provide adequate training to address cybersecurity risks. These failures led to sensitive customer information, including social security numbers (SSNs), being left unredacted and easily accessible to cybercriminals.
Go deeper with GlobalData
“New York’s nation-leading cybersecurity regulation sets a critical standard for safeguarding consumer data and strengthening the resilience of financial institutions,” said New York State Department of Financial Services Superintendent, Adrienne Harris.
“Qualified cybersecurity personnel are the first line of defence against potential data breaches. Providing proper training and effectively implementing cybersecurity policies and procedures are vital steps to protecting sensitive data and mitigating risks.”
PayPal fine: ‘a wake up call for data security’
The fine not only highlights a significant breach in trust. It also reflects an increasing regulatory push to hold companies accountable for protecting customer data.
Indeed, it represents a wake-up call for data security according to Dimitri Sirota, CEO of BigID. He told RBI: “PayPal’s $2m fine underscores the critical need for proper training and robust cybersecurity policies to protect sensitive data. Companies can no longer assume, ‘It won’t happen to us.’ While immediate remediation of every vulnerability may not be possible, proactive steps to mitigate risks can significantly reduce the impact of a breach. The time to prepare for a crisis is not during one.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataNew York data regulations resemble EU DORA provisions
Dr. Ilia Kolochenko, CEO at ImmuniWeb, added: “The NY DFS Cybersecurity Regulation (23 NYCRR Part 500) is probably one of the most detailed US state-level regulations related to cybersecurity and data protection, resembling to EU DORA by its comprehensive nature.
“This penalty is a clear reminder that cybersecurity is insufficient even if you implement all technical controls by implementing pricey solutions from the leading vendors but fail to properly organise an ongoing and organisation-wide training. All entities cover by the Regulation should also consider reviewing the October 2024’s Industry Letter by the DFS on the emerging cybersecurity and privacy risks created by GenAI.
“In 2025, we may see some nice surprises with the President Trump administration, like the long-awaited federal data protection and privacy law that may replace the convoluted patchwork of the state laws, terrifically simplifying compliance.”
