New York Department of Financial Services Announces $1.5 Million Settlement of Second Cybersecurity Enforcement Action

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP

On March 3, 2021, the New York State Department of Financial Services (NYDFS) announced a settlement with Residential Mortgage Services, Inc. (RMS) for $1.5 million in connection with its violation of the NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500). This is the second publicly-announced settlement of an enforcement action brought under NYDFS’s novel cybersecurity regulation (we wrote about the first action).

According to the consent order, in March 2020, NYDFS’ Mortgage Banking Division commenced a routine examination of RMS, which included a review of its compliance with Part 500. RMS is headquartered in Maine, but it is registered as mortgage banker in New York and other states. During the examination, NYDFS determined that RMS failed to report a March 2019 data breach incident, as required by Part 500.

The breach at issue stemmed from a phishing attack carried out against an RMS employee, which led to unauthorized access of the personal data of mortgage loan applicants. RMS also allegedly failed to conduct an investigation of the breach and identify the data exposed until prompted by NYDFS during the investigation. NYDFS also concluded that RMS failed to maintain a comprehensive Cybersecurity Risk Assessment, as required by Part 500.

In addition to the $1.5 million financial penalty, RMS agreed to specific actions to ensure that its cybersecurity program is complaint with Part 500. In its press release, NYDFS noted that “RMS cooperated throughout the examination and investigation, and has appeared committed to expediting remediation of its cybersecurity controls.”

The announcement of the settlement of this cybersecurity enforcement action by NYDFS highlights the importance of comprehensive and prompt response to cybersecurity and data breach incidents, as well as the need to be aware of and comply with notification requirements imposed by state and federal regulators, in addition to requirements imposed by other governmental agencies. As more regulators appear to be moving in the direction of imposing regulations similar to Part 500, the ability of companies to make prompt and accurate reports will only become more important. In addition, companies regulated by NYDFS should take note of an increasingly aggressive enforcement posture that the agency appears to be taking with respect to compliance with Part 500.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.