Understanding the PayPal Cybersecurity Settlement with New York
On January 23, 2025, the New York State Department of Financial Services (“NYDFS”) announced a $2 million penalty for PayPal, Inc. after an investigation revealed significant cybersecurity failures that exposed sensitive customer information. This case is a reminder for businesses regulated by NYDFS about the importance of properly implementing cybersecurity policies, training personnel, and ensuring strong access controls.
The incident occurred when PayPal made changes to its data flows in an effort to make IRS Form 1099-Ks more accessible to customers. Unfortunately, the engineering team responsible for these changes was not adequately trained, and as a result, they failed to follow proper procedures. This oversight allowed cybercriminals to exploit compromised credentials and access sensitive customer data, including Social Security numbers, through these forms. The situation was further exacerbated by PayPal’s failure to implement effective access controls and identity management policies.
NYDFS found that while PayPal had written policies in place regarding cybersecurity functions such as change management, user authentication, and access control, the real issue was the failure to properly implement these policies in practice. This is a critical takeaway for all businesses: simply having written policies is not enough. You must ensure that they are effectively executed and followed by your team to minimize the risk of cybersecurity breaches.
Additionally, NYDFS highlighted the fact that PayPal did not use qualified cybersecurity personnel to oversee the implementation of key cybersecurity functions, nor did it provide sufficient training to its staff. This lack of training contributed significantly to the incident. As part of the updated cybersecurity regulations that took effect in 2023, training and awareness have become even more critical components of an effective cybersecurity strategy. From May 2024, all personnel involved in implementing your cybersecurity program, including incident response and disaster recovery plans, must undergo annual training.
One of the key issues identified in the PayPal case was the failure to implement multi-factor authentication (“MFA”) and other effective access controls to prevent unauthorized access to nonpublic information. While MFA is not yet a mandatory requirement under the NYDFS Cybersecurity Regulation, it will be starting November 1, 2025. Given the growing emphasis on access controls, including MFA, it is critical for businesses to prioritize this in their cybersecurity practices.
The $2 million penalty, despite PayPal’s prompt remediation efforts, is a reminder that regulatory agencies take compliance failures seriously. While taking swift action to address vulnerabilities and improve security measures is important, it is not a substitute for meeting the cybersecurity requirements upfront.
For businesses operating in New York under the jurisdiction of NYDFS, this case should prompt a review of your current cybersecurity policies and procedures. Ensure that your team is not only trained on cybersecurity best practices but that the implementation of these policies is closely monitored. Additionally, prioritize implementing access controls, including MFA, and begin preparing for the May 2025 deadline for enhanced access management requirements. Taking these steps now will help avoid costly penalties and reduce the risk of a data breach.
© 2025 Cliclaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.