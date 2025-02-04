ARTICLE
4 February 2025

New York Department Of Financial Services Reaches $2,000,000 Settlement With Peer-To-Peer Payment Platform

GP
Goodwin Procter LLP

Contributor

Goodwin Procter LLP logo
At Goodwin, we partner with our clients to practice law with integrity, ingenuity, agility, and ambition. Our 1,600 lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigation and world-class advisory services in the technology, life sciences, real estate, private equity, and financial industries. Our unique combination of deep experience serving both the innovators and investors in a rapidly changing, technology-driven economy sets us apart.
Explore Firm Details
On January 23, 2025, the New York Department of Financial Services (DFS) announced that it reached a $2,000,000 settlement...
United States Finance and Banking
Varun Bhatnagar

On January 23, 2025, the New York Department of Financial Services (DFS) announced that it reached a $2,000,000 settlement as part of a broader consent order with a peer-to-peer payment platform ("P2P") about its cybersecurity practices. DFS contended that the P2P violated rules on Cybersecurity Policy, Cybersecurity Personnel and Intelligence, and Multi-Factor Authentication (MFA) after DFS's investigation into a December 2022 security event.

A security analyst at the P2P discovered a security event on December 6, 2022, which spurred DFS's investigation. According to DFS, the P2P discovered that the Form 1099-Ks, a type of tax form available on the P2P's online platform, contained unmasked consumer information, including names, dates of birth, and full SSNs. Per DFS, this vulnerability stemmed from a feature that was recently deployed for tax purposes. The next day, there allegedly was a spike in attempts to access the P2P's online platform.

DFS identified alleged deficiencies in three areas of the P2P's cybersecurity program: policy, personnel and intelligence, and MFA. First, the P2P's policy required new features to be tested; however, this was not implemented properly. The Form 1099-K feature was updated, but engineering teams allegedly misclassified the code change, which resulted in the requisite testing being skipped. The second deficiency, personnel and intelligence, allegedly tied directly to the policy breach. Per DFS, in not properly training the engineering team on the P2P's policies, the P2P enabled the feature to be deployed without testing. Lastly, the P2P was obligated to use MFA per DFS's Cybersecurity Regulation, but the MFA feature was allegedly optional for consumers. Per DFS, the security event could have been mitigated if consumers could deny sign-in to threat actors attempting to exploit the bug.

The P2P cooperated with the investigation and rapidly addressed these concerns, drawing praise from DFS. According to DFS, the P2P's good-faith investigation, its cooperation and the gravity of the incident, and the public interest factored into the penalty assessment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Varun Bhatnagar
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More