On April 29, 2026, the New York State Department of Financial Services (“DFS”) issued its first cybersecurity enforcement action of 2026—a Consent Order against Delta Dental Insurance Company and Delta Dental of New York, Inc. (the “Companies”) imposing a $2,250,000 civil monetary penalty for violations of the Part 500 Cybersecurity Regulation. The action is notable as the Department’s first—and to date, only—enforcement action arising from the 2023 MOVEit Transfer breach, and follows the Department’s wave of 2025 enforcement actions against insurers for exposing driver’s license numbers through quoting tools.
The Consent Order underscores two key themes that continue to drive NYDFS enforcement: dispose of data that you no longer need, and notify the Department early. As vulnerabilities like those found in MOVEit become more common and as we prepare for advanced AI like Mythos to accelerate the discovery of such vulnerabilities, companies should be aware of, and prepare for, the increased risk of systems holding sensitive data being breached. That makes it even more important for companies to know what data you have, know where you have it, and limit how long you keep it. Engaging prudential regulators promptly when an incident occurs—even before the full scope is known—is highly advisable, especially if it relates to a new vulnerability that may be of interest to regulators.
What Happened?
As alleged in the consent order, Delta Dental of California (“DDC”) used Progress Software’s MOVEit Transfer platform to facilitate transfers of files containing nonpublic information (“NPI”) on behalf of itself and affiliates, including the Companies. On June 1, 2023, Progress disclosed a zero-day vulnerability (a vulnerability that was not previously known to the vendor). That same day, DDC identified a malicious script known as a webshell on its servers, shut down access, removed the malicious files and deployed patches.
Just one day after disclosure of the vulnerability, NYDFS issued an industry letter reminding Covered Entities that unauthorized access—including the mere installation of a webshell—constitutes a reportable Cybersecurity Event. Many affected companies moved to notify NYDFS of the incident within days or weeks of learning of impact.
By July 6, 2023, DDC confirmed that data had been exfiltrated. A subsequent forensic review took months and was completed on November 27, 2023. The review determined that approximately 60,000 files had been impacted, including insureds’ names, Social Security numbers, driver’s license numbers, financial account information, and health data.
Despite identifying the webshell on June 1 and confirming exfiltration by July 6, DDC did not notify the Department until December 15, 2023.
What NYDFS Found
The Department charged the Companies with four violations: failure to maintain policies for the secure disposal of NPI no longer necessary for business operations (§ 500.13); failure to implement a written policy adequately addressing incident response (§ 500.3(n)); failure to establish a written incident response plan sufficiently addressing regulatory reporting obligations (§ 500.16(b)(6)); and failure to provide timely notice of a Cybersecurity Event (§ 500.17(a)). The Companies agreed to pay a $2,250,000 civil monetary penalty.
The Department’s charges centered on three related failures.
First, data retention: MOVEit Transfer preconfigures each folder with a default 30-day retention setting, after which uploaded files are automatically deleted. DDC had extended this setting to 45 or 60 days for many folders and, in some instances, disabled retention guidelines entirely—with no written policy or procedure governing such changes. As a result, the majority of the approximately 60,000 exfiltrated files had been on the servers longer than 30 days at the time of the breach.
Second, incident response documentation: DDC’s incident response policies and procedures did not provide sufficient detail or guidance on the Companies’ regulatory reporting obligations, including their obligations to report to the Department, which the Department found contributed directly to delayed notification.
Third, notification timing: the Department treated the Companies’ six-month delay as a clear violation of § 500.17(a), emphasizing that its June 2, 2023 guidance made clear that a reportable Cybersecurity Event had occurred at the time of initial compromise. The Department’s analysis reflects its view that Covered Entities cannot wait for forensic certainty before notifying. According to the June 2, 2023 guidance, the notification obligation for the MOVEit matters was triggered by evidence of unauthorized access—such as a webshell—not after confirming the scope or impact of the breach.
Practical Takeaways
- Notify early, even when the picture is incomplete. If a company knows that it is going to need to notify its prudential regulator (whether NYDFS or another regulator), even where the full scope of impact is unknown, it should consider doing so sooner rather than later. It is helpful to assess whether peers are notifying early in industry-wide events to get benchmarking on expectations. Also, early notification, even with caveats and incomplete information, can earn goodwill with a regulator. Based on our experience, many companies affected by MOVEit notified their regulators in June and July 2023, often proactively and prior to completing forensic and e-discovery reviews. Delta Dental waited until December, presumably when it finished its e-discovery efforts and conclusively determined to notify state regulators under data breach laws, thereby triggering Part 500’s 72-hour knock-on notice requirement following such a determination. In matters where it is clear that notification will be required under state data breach laws, consider notifying NYDFS before e-discovery is complete.
- Beef up your incident response plan—and make it specific. It is not sufficient for an IR plan to briefly mention notifying regulators. For regulated entities subject to specific regulations that call out incident response plans, consider adding the specific notification triggers and timelines under each, and the internal steps for determining when the notification clock starts. The Department charged the deficiency in Delta Dental’s IR plan as two standalone violations of under §§ 500.3(n) and 500.16(b)(6). If your plan does not specifically reference the 72-hour Part 500 notification window, the criteria that trigger it, and the Department’s published guidance on what counts as a reportable event, consider adding it, even if it is in an appendix or other playbook.
- Take DFS guidance and FAQs seriously. While there is a legitimate question about whether an agency can effectively change its rules by issuing guidance letters or FAQs that broaden the scope of conduct treated as a violation, the Delta Dental order makes clear that the Department expects companies to follow its guidance, and that ignoring that guidance carries risk. Here, the Department treats the mere installation of a webshell as a reportable Cybersecurity Event, going beyond the plain meaning of the text of Part 500 at the time of the MOVEIt matters and essentially treating the Department’s informal guidance as a binding requirement. As such, companies should monitor DFS industry letters and FAQs as they are published and integrate them into their compliance programs in real time.
- Aggressively minimize data. The Department’s focus on DDC’s 45- to 60-day retention settings—which were not unusually long relative to industry norms—illustrates that the question is not just “how long is too long” but “why is this data still here at all?” As we wrote about in connection with Mythos and previously, companies should audit their data retention practices, ensure that deviations from default settings are governed by written policies and approval procedures, and start deleting data that is not actually needed. The Department’s recent enforcement trajectory—from the 2025 insurance cases through this order—shows that the Department is now as focused on data retention as it is on data protection, and that strong security controls may be insufficient in the eyes of the Department if the data should not have been retained in the first place. Given the increasing frequency of breaches, the safest approach may be to assume a breach will occur and to limit how much sensitive data you keep, and how long you keep it.
Conclusion
The MOVEit Transfer vulnerability affected hundreds of organizations across sectors, yet this is the only NYDFS enforcement action to arise from it—and the only set of companies the Department has targeted. The differentiating factor for Delta Dental was not the cause of the breach (no entity can anticipate a zero-day exploit), but how it handled the aftermath.
When regulators look at a widespread cyber incident and decide whom to pursue, they look for evidence that a company’s internal controls were deficient. Here, the Department found such deficiencies in three places: an inadequate incident response plan that did not clearly address regulatory reporting obligations with sufficient specificity, the absence of written data retention policies resulting in tens of thousands of files sitting on servers longer than necessary, and delayed notification to the Department.
The Consent Order interprets Part 500 as it read prior to November 1, 2023, and therefore does not provide direct insight into how the Department will apply the amended regulation in the future. More broadly, the Consent Order reinforces trends that have become clear across the Department’s recent enforcement actions: the increasing emphasis on proactive regulatory engagement, the treatment of incident response documentation as a first-order compliance obligation rather than a formality, the expectation that policies actually be followed in practice—not just written down—and a growing focus on data minimization.
***
To subscribe to the Data Blog, please click here.
The cover art for this blog post was generated by ChatGPT.
