On March 3, 2020, the New York Department of Financial Services (“NYDFS”) announced it had entered into a settlement with Residential Mortgage Services, Inc. (“RMS”) related to allegations that RMS violated the NYDFS Cybersecurity Regulation in connection with a 2019 data breach.

According to NYDFS, RMS, a licensed mortgage banker, experienced a data breach involving unauthorized access to an employee’s email account. The relevant email account allegedly had “a significant amount of sensitive personal data of mortgage loan applicants” that was exposed as a result of the compromise. NYDFS further alleged that RMS did not conduct an investigation or identify the compromised consumer data until directed to do so by NYDFS in 2020. NYDFS then conducted an examination, which concluded that RMS violated the Cybersecurity Regulation by failing to timely report the data breach. NYDFS also found that RMS “failed to have a comprehensive Cybersecurity Risk Assessment, another requirement of the Cybersecurity Regulation.”

As part of the settlement, RMS agreed to pay a $1.5 million penalty and undertake improvements to its existing cybersecurity program to bring the relevant controls into compliance with the Cybersecurity Regulation. According to the NYDFS press release, NYDFS “notes that RMS cooperated throughout the examination and investigation, and has appeared committed to expediting remediation of its cybersecurity controls.”

Read the full NYDFS settlement.