The New York Department of Financial Services (“DFS”) recently initiated its first enforcement action against a company for violating DFS’s first-in-the-nation cybersecurity regulation. As our readers know, we have written quite a few posts and articles about the regulation. And as we’ve warned, with the regulation now in full effect, covered companies should expect DFS’s Cybersecurity Division to start cracking down on companies that haven’t complied.
It appears that day has come at last. On July 22, DFS filed a statement of charges against First American Title Insurance Company, alleging an array of regulatory violations. According to the charges, since 2014, First American’s document repository—which contains documents with sensitive personal information—was publicly accessible. Each document that First American collected when someone applied for title insurance (such as applications, financial statements, credit reports, etc.) was assigned a document ID. And that document ID corresponded with a unique URL, which anyone could access without login credentials or authentication. So, if First American gave an applicant a link to PDFs of her application materials, she simply had to change a digit in the URL to see someone else’s application documents. Or, as the DFS puts it: “more than 850 million documents were accessible to anyone with a URL address providing access to a single document in the [First American]-generated website.” In fact, many of these documents had been indexed by Google—meaning they would show up in a keyword search and were accessible to the general public
DFS claims that First American’s IT department caught this vulnerability back in December 2018, but allegedly did not take any meaningful action to remedy the vulnerability. And in May 2019, Krebs on Security flagged the weakness as well. First American’s only response, according to DFS, was to tell employees and applicants not to transmit private information via its document management system.
Unsurprisingly, DFS did not find that response sufficient. Based on our review of the statement of charges, it appears that the agency conducted a thorough investigation of First American before initiating this action. From that investigation, DFS found six separate regulatory violations. And DFS asserts that “each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.” Those civil penalties could be substantial, as DFS asserts that “30% of” the “850 million” documents that First American made publicly available contained nonpublic information.
Although this is DFS’s first cybersecurity action, the agency itself is no stranger to the enforcement process. For this case, DFS has scheduled a hearing for October 26, 2020. In the meantime, we will continue to monitor the action for any updates.