On July 21, 2020, the New York Department of Financial Services (DFS) filed a “Statement of Charges and Notice of Hearing” (the “Charges”) against First American Title Insurance Company (the “Company”) alleging violations of DFS’s Cybersecurity Regulation (23 N.Y.C.R.R. Part 500). In its first enforcement action under the Cybersecurity Regulation, DFS alleges the Company failed to remedy a vulnerability on its public facing website that “exposed tens of millions of documents that contained consumers’ sensitive personal information including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images.”
DFS’s Cybersecurity Regulation went into effect March 2017 and was implemented in phases over a two year period, with the last phase effective March 1, 2019. The Cybersecurity Regulation mandates minimum cybersecurity standards for any banking, insurance and brokerage firm using a license to operate in New York. The Nebraska-based stock insurance company is a licensee authorized to write title insurance in New York, making it a covered entity subject to the first-in-the-nation Cybersecurity Regulation. Covered entities were required to certify compliance with each provision for the first time by June 1, 2020, a deadline extended due to COVID-19.
According to the Charges, the Company maintains a web-based document delivery system that allowed employees and agents to share documents containing sensitive nonpublic information with other parties of a transaction. Documents shared included social security numbers, drivers’ licenses, banking and tax information. Once a party or participant to a transaction selects documents to share, the recipient would receive a link to a website to access the documents. Anyone with the link or URL could access the documents without login or authentication.
Allegedly, a vulnerability was created in the document delivery system through an update in October 2014 that allowed anyone to change one digit in the URL to access other documents with sensitive nonpublic information that they were not authorized to access. DFS alleges the vulnerability existed for years and was only discovered in a penetration test in December 2018 when the Company’s Cyber Defense Team simulated a cyberattack to identify vulnerabilities that could be exploited. Allegedly, the Cyber Defense Team viewed 10 documents exposed by the vulnerability and while none contained nonpublic information, the team strongly recommended further investigation, but no further review was conducted. DFS alleges it was not until after publication of the vulnerability by Krebs on Security in May 2019 that the Company reported the incident to DFS as required by the Cybersecurity Regulation.
In its press release, DFS alleges it was multiple failures by the Company that led to violations of various provisions of the Cybersecurity Regulation, including failures to:
- Internal Policies: Follow its own cybersecurity policies by neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability.
- Expert Recommendations: Follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
- Investigation: Conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability.
- Classification: Properly classify the vulnerability as more than “low” severity considering the magnitude of the document exposure.
DFS alleges the Company violated six provisions of the Cybersecurity Regulation including the requirements to:
- Maintain a cybersecurity program based on adequate risk assessments for nonpublic information. (Section 500.02 Cybersecurity Program)
- Maintain and implement appropriate data governance and classification policies. (Section 500.03 Cybersecurity Policy)
- Maintain reasonable access controls. (500.07 Access Privileges)
- Perform periodic risk assessments sufficient to inform the design of the cybersecurity program in line with company policies. (Section 500.09 Risk Assessment)
- Provide adequate data security training for employees. (Section 500.14 Training and Monitoring)
- Encrypt documents marked as sensitive nonpublic information. (Section 500.15 Encryption of Nonpublic Information)
DFS is seeking civil monetary penalties, an order requiring the Company to remedy violations and any other relief deemed just an appropriate. Each administrative charge carries penalties of up to $1,000 per violation. DFS contends that each instance of exposed nonpublic information constitutes a separate violation. DFS alleges that hundreds of millions of documents were exposed and that according to the Company’s own analysis more than 350,000 documents were accessed without authorization during an 11-month period. With no guidance from DFS on what constitutes a “violation” for purposes of calculating penalties, companies are left guessing as to what the ultimate penalty may be: will a “violation” be based on the number of days during which the data was exposed, number of New York residents affected by the breach, number of individuals affected by the breach (regardless of residency) or the incident itself constituting a single violation? With these possibilities the Company faces potential penalties in the hundreds of millions of dollars. A hearing will be held on October 26, 2020, before a hearing officer appointed by the Superintendent of Financial Services.
DFS’s first enforcement action suggests covered entities should take a critical eye to their cybersecurity programs as the regulator has signaled it will not only evaluate the reasonableness of a company’s actions but will judge the quality of the cybersecurity program as well. The Charges illustrate what DFS considers to be “adequate” or “reasonable” in executing a cybersecurity program in compliance with the regulation. We recommend that companies closely review their written information security plan, incident response plan and vendor management procedures, and evaluate implementation of privacy and security controls to ensure compliance with the Cybersecurity Regulation, as one misstep could ultimately cost the company millions of dollars in penalties.