On Wednesday, July 22, the New York Department of Financial Services (the “NYDFS”) announced that it had filed administrative charges against First American Title Insurance Co. under the NYDFS Cybersecurity Regulation, marking the agency’s first enforcement action since the rules went into effect in March 2017.

The Statement of Charges (the “Statement”) alleges that First American failed to fix a vulnerability on its public-facing website, resulting in the exposure of millions of documents containing consumers’ sensitive personal information (Nonpublic Information or “NPI”), including bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts and drivers’ license images. The Statement alleges multiple failures in First American’s handling of the data exposure, including the failure to:

  • follow its own policies, by neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;
  • properly classify the severity of the vulnerability despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American’s internal cybersecurity policies;
  • conduct a reasonable investigation into the scope and cause of the vulnerability after it was discovered by an internal penetration test in December 2018, thereby significantly underestimating the seriousness of the vulnerability; and
  • follow the recommendations of First American’s internal cybersecurity team to conduct further investigation into the vulnerability.

In addition to these errors, the NYDFS also alleges that deficient controls and other flaws in First American’s cybersecurity practices led to the data exposure that remained unaddressed from at least October 2014 through May 2019.

The Statement alleges that First American violated six provisions of the Cybersecurity Regulation:

  1. 23 NYCRR 500.02: The requirement to maintain a cybersecurity program that is designed to protect the confidentiality, integrity and availability of the covered entity’s information systems, and which is based on the covered entity’s risk assessment.
  2. 23 NYCRR 500.03: The requirement to maintain a written policy or policies, approved by senior management, setting forth the covered entity’s policies and procedures for the protection of its information systems and the NPI stored on those systems.
  3. 23 NYCRR 500.07: The requirement to limit user access privileges to information systems that provide access to NPI and periodically review such access privileges.
  4. 23 NYCRR 500.09: The requirement to conduct a periodic risk assessment of the covered entity’s information systems to inform the design of its cybersecurity program.
  5. NYCRR 500.14(b): The requirement to provide regular cybersecurity awareness training for all personnel as part of the covered entity’s cybersecurity program, and to update such training to reflect risks identified by the covered entity in its risk assessment.
  6. NYCRR 500.15: The requirement to implement controls, including encryption, to protect NPI held or transmitted by the covered entity both in transit over external networks and at rest.

A hearing on the matter will be held on October 26, 2020 at the office of the NYDFS.