On August 13, 2024, the attorneys general of New York, New Jersey, and Connecticut announced a joint $4.5 million settlement with Enzo Biochem, Inc. over a ransomware attack that exposed the data of roughly 2.4 million patients. For government contractors who think only in federal terms, this case is a useful jolt: state AGs enforce data-security duties, and they coordinate across state lines.
What Happened
Enzo, a biotech company that offered diagnostic testing, suffered a ransomware attack that compromised the personal and private health information of about 2.4 million people. Investigating, the New York AG's office found that "Enzo had poor data security practices" that enabled the attack. The three states divided the $4.5 million penalty.
Money was not the only consequence. Enzo agreed to a corrective action plan requiring it to implement a robust information security program — the kind of injunctive term that often outlasts and outweighs the check, because it imposes ongoing obligations and oversight.
Why a Federal Contractor Should Read This
Three features make this case instructive even if you have never held a state contract:
1. State law keys off whose data you hold, not who you contract with. Enzo was a private company, but the same residency-based logic reaches federal contractors. If you hold the personal data of residents of a state, that state's data-security and breach-notification laws can apply — regardless of which federal agency you serve. (See State Requirements and our post on state laws contractors overlook.) 2. "Reasonable security" is enforceable. The hook was "poor data security practices." Many state regimes impose a reasonable-security duty, and AGs use it. If you already run NIST SP 800-171-style controls for federal work, you are well positioned — but you must actually operate them, not just document them. 3. AGs coordinate. A single incident affecting residents of multiple states can draw a joint investigation and a pooled penalty. One breach, many jurisdictions.
The Corrective Action Plan Is the Real Cost
The required security-program build-out — risk assessments, controls, governance, and often years of reporting — typically costs more than the headline penalty and constrains the business going forward. Build the program before an incident, and you avoid being told how to build it afterward, under supervision.
What to Do Now
- Inventory personal data by state of residence. You cannot meet obligations you cannot see.
- Operate, don't just document, reasonable security. Patch, segment, back up offline, and test recovery — ransomware exploits the gap between policy and practice.
- Build a multi-state breach-notification matrix. Deadlines, recipients, and content differ by state and run on their own clocks, independent of any federal reporting window.
- Stand up the security program now, so a regulator never has to design one for you.
Key Takeaways
- Three state AGs jointly settled with Enzo Biochem for $4.5M over a ransomware breach traced to poor security practices.
- State data-security and breach laws reach you based on whose data you hold — federal contracting doesn't preempt them.
- The corrective action plan — a mandated security program — is often the costlier, longer-lasting consequence.
Map your state exposure on the State Requirements page, then confirm your full obligation set with Find My Requirements. *(A settlement is not an admission of liability.)*