NYDFS Penalizes Mortgage Company For Cyber Breach

Ballard Spahr LLP

Ballard Spahr LLP

On March 3rd, the New York Department of Financial Services (“NYDFS”) announced a settlement with Residential Mortgage Services, Inc. (“RMS”) to resolve allegations that RMS violated the NYDFS Cybersecurity Regulation relating to a 2019 cyber breach.

In July 2020, NYDFS conducted an examination of RMS as a licensed mortgage banker.  During the examination, NYDFS uncovered evidence that allegedly revealed that RMS had been subject to a cyber breach that had not been reported to NYDFS.

This cyber breach allegedly arose when a RMS employee clicked on a hyperlink in a phishing email that falsely appeared to originate from a RMS business partner.  The RMS employee provided her email credentials to the malicious website opened by the hyperlink, which compromised the employee’s email account, which contained “a substantial amount of sensitive personal data from mortgage loan.”  Although RMS had implemented multifactor authentication, the RMS employee also facilitated the unauthorized access by clicking her approval in response to an access alert from the MFA application on her mobile device.

NYDFS criticized the company for failing to fully investigate the cyber breach and for failing to provide notification of the breach to consumers and state agencies, such as NYDFS.  NYDFS also criticized RMS’s failure to conduct comprehensive cybersecurity risk assessments as required by the NYDFS Cybersecurity Regulation.  For these failures, NYDFS imposed a $1.5 million penalty.

The NYDFS press release about this enforcement action is available here.  A copy of the NYDFS consent order is available here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.