The New York State Department of Financial Services (DFS) recently filed a statement of charges against First American Title Insurance Company, alleging that a First American data breach exposed millions of documents containing consumers’ personal information. The charges are the first to be filed alleging violations of DFS’s Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations. We’ve previously reported on the DFS Cybersecurity Regulation, which became effective March 2017.
The statement of charges alleges that a vulnerability in First American’s information systems resulted in exposure of consumers’ personal information, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images, over the course of several years. DFS alleges that from at least October 2014 through May 2019, due to a known vulnerability, these records were available to anyone with a web browser. The charges allege that the vulnerability went undetected for approximately four years and that upon discovery in December 2018 by a penetration test, First American did not remedy the problem for six more months. By this time, the breach was made public by a journalist who reports on cybersecurity issues. It was only after the publication that First American reported the breach to DFS, as required under 23 NYCRR 500.17.
The First American information system at issue allows title agents and other First American employees to share any document with outside parties. In April 2018, this system contained 753 million documents, 65 million of which had been designated by First American as containing non-public information (NPI). However, the statement of charges also points to an April 2018 presentation by senior members of First American’s IT and information security management teams to its board of directors that demonstrated that within a random sample of 1,000 documents in the system, 30% of those documents containing NPI were not designated as such. Therefore, there may have been millions of documents containing NPI that were not designated properly.
DFS alleges multiple failures of First American’s handling of the breach, including:
Ultimately, DFS claims that First American violated six provisions of the Cybersecurity Regulations that require each covered entity to:
A hearing will be held on October 26, 2020. The Cybersecurity Regulations are implemented pursuant to Section 409 of the Financial Services Law. A violation of Section 408 with respect to a financial product or service, which includes title insurance, is subject to penalties of up to $1,000 per violation. DFS alleges that each instance of NPI encompassed within the charges constitute a separate violation carrying up to $1,000 in penalties per violation. Given the extremely large number of documents containing NPI, whether designated as such or not, the penalties could be massive.
As this is the first enforcement action that we are seeing, it will undoubtedly demonstrate DFS’s willingness to pursue penalties and re-emphasize the importance of a compliant cybersecurity program.