The New York State Department of Financial Services (DFS) recently filed a statement of charges against First American Title Insurance Company, alleging that a First American data breach exposed millions of documents containing consumers’ personal information. The charges are the first to be filed alleging violations of DFS’s Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations. We’ve previously reported on the DFS Cybersecurity Regulation, which became effective March 2017.
The statement of charges alleges that a vulnerability in First American’s information systems resulted in exposure of consumers’ personal information, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images, over the course of several years. DFS alleges that from at least October 2014 through May 2019, due to a known vulnerability, these records were available to anyone with a web browser. The charges allege that the vulnerability went undetected for approximately four years and that upon discovery in December 2018 by a penetration test, First American did not remedy the problem for six more months. By this time, the breach was made public by a journalist who reports on cybersecurity issues. It was only after the publication that First American reported the breach to DFS, as required under 23 NYCRR 500.17.
The First American information system at issue allows title agents and other First American employees to share any document with outside parties. In April 2018, this system contained 753 million documents, 65 million of which had been designated by First American as containing non-public information (NPI). However, the statement of charges also points to an April 2018 presentation by senior members of First American’s IT and information security management teams to its board of directors that demonstrated that within a random sample of 1,000 documents in the system, 30% of those documents containing NPI were not designated as such. Therefore, there may have been millions of documents containing NPI that were not designated properly.
DFS alleges multiple failures of First American’s handling of the breach, including:
- failure to comply with internal policies in a number of ways,
- failure to conduct a security review and risk assessment of the flawed computer program and the sensitive data associated with the vulnerability,
- misclassifying the known vulnerability as “low” severity despite knowing the magnitude of the exposure,
- failure to investigate the vulnerability within the timeframe dictated by First American’s internal policies,
- conducting an unacceptably minimal review of exposed documents,
- failure to follow the recommendations of its own internal cybersecurity team, and
- delegating remediation to an unqualified employee.
Ultimately, DFS claims that First American violated six provisions of the Cybersecurity Regulations that require each covered entity to:
- maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of the covered entity’s information system based on a risk assessment and designed to perform core cybersecurity functions;
- maintain a written policy or policies, approved by a senior officer or the board of directors, setting forth the Covered Entity’s policies and procedures for the protection of its information systems and the NPI stored on those systems, based on the risk assessment;
- limit user access privileges to information systems that provide access to NPI and shall periodically review such access privileges;
- conduct a periodic risk assessment sufficient to inform the design of the cybersecurity program;
- provide regular cybersecurity awareness training for all personnel, and such training must be updated to reflect risks identified by the covered entity in its risk assessment; and
- implement controls, including encryption, to protect NPI held or transmitted by the covered entity both in transit over external networks and at rest.
A hearing will be held on October 26, 2020. The Cybersecurity Regulations are implemented pursuant to Section 409 of the Financial Services Law. A violation of Section 408 with respect to a financial product or service, which includes title insurance, is subject to penalties of up to $1,000 per violation. DFS alleges that each instance of NPI encompassed within the charges constitute a separate violation carrying up to $1,000 in penalties per violation. Given the extremely large number of documents containing NPI, whether designated as such or not, the penalties could be massive.
As this is the first enforcement action that we are seeing, it will undoubtedly demonstrate DFS’s willingness to pursue penalties and re-emphasize the importance of a compliant cybersecurity program.