Written by Timothy M. Carter
Following a publicized commitment to increased cybersecurity enforcement, the New York Department of Financial Services (“NYDFS”) initiated its first enforcement action against First American Title Insurance Co. (“First American”) on July 22, 2020. Stemming from First American’s alleged failure to adequately safeguard highly confidential, personal consumer information – including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images – this action is the first of its kind brought under NYDFS’s expansive Cybersecurity Regulations (the “Regulations”). The Regulations took effect on March 1, 2017 and established strict cybersecurity requirements for financial services companies licensed to operate under New York’s Banking Law, Insurance Law or Financial Services Law (a “covered entity”).
Among other requirements, the Regulations require a covered entity to:
- Implement and maintain cybersecurity policies and procedures that address consumer data privacy and other consumer protection issues with effective controls, secure access privileges, and thorough and regular cybersecurity risk assessments.
- Provide comprehensive training and monitoring for all personnel, including corporate governance procedures that ensure senior management is involved in and responsible for the entity’s cybersecurity and data protection program.
- Base their cybersecurity policies and procedures on periodic risk assessments to ensure ongoing evaluation of the multitude of risks that continuously threaten the security of their customers’ private data.
Between October 2014 and May 2019, a known vulnerability on First American’s website gave anyone with a web browser the ability to access the records of tens of millions of consumers. Despite First American’s Cyber Defense Team detecting the vulnerability in December of 2018, the vulnerability remained unresolved for another 6 months, notwithstanding the fact that hundreds of millions of documents were exposed. This failure, according to the NYDFS, resulted from a “cascade of errors that occurred substantially due to flaws in [First American’s] flawed vulnerability remediation program.”
In its Statement of Charges and Notice of Hearing, NYDFS alleged multiple failures by First American in addressing the vulnerability, including that First American:
- grossly underestimated the level of risk associated with the vulnerability;
- failed to follow its own cybersecurity policies by neglecting to conduct a security review and a risk assessment for the sensitive data associated with the vulnerability;
- failed to follow the advice of its own in-house cybersecurity team to further investigate and remedy the vulnerability;
- failed to conduct a reasonable investigation into the scope and cause of the vulnerability, and thereby significantly underestimating the seriousness of the vulnerability and delaying its response for six months; and
- ineffectively assigned remediation of the vulnerability to a new employee with little experience in data security and little support.
First American has challenged NYDFS’ version of events, citing a review by a third-party consultant that found only a limited number of documents were at risk, none of which belonged to New York consumers. Pursuant to Section 408 of the Financial Services Law, NYDFS is seeking civil monetary penalties and an order to remedy the alleged violations.
New York state has been especially active in recent years in addressing cybersecurity and data protection matters. Most recently, New York’s SHIELD Act, which amends the state’s data breach notification law and expands data security requirements to cover any person or entity with private information of a New York resident regardless of whether the data collector conducts business in New York State, took effect on Mach 21, 2020.
NYDFS’s enforcement action against First American highlights the importance of actively monitoring and evaluating an organization’s cybersecurity program, data security policies, and vulnerability remediation program. Regular security and compliance assessments made in a timely manner by suitably trained and supervised personnel is crucial to ensuring compliance, safeguarding sensitive consumer data, and mitigating legal risk.