United States of America: New York State Department of Financial Services imposed USD 2 million fine against PayPal for violations of cybersecurity regulation

On 23 January 2025, the New York State Department of Financial Services (NYDFS) announced that it had imposed a USD 2 million fine against PayPal for violations of the state's Cybersecurity Regulation. In particular, an investigation revealed that PayPal failed to employ qualified personnel for key cybersecurity roles and did not provide adequate training to address cybersecurity risks. Furthermore, PayPal failed to implement written policies for access controls, identity management, and customer data and failed to use effective controls to protect against unauthorised access to Nonpublic Information or Information Systems. These failures led to the exposure of sensitive customer information, which was made accessible to cybercriminals.