What the First Enforcement Action under NYDFS Cybersecurity Reg Means to Companies

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

Late this summer the New York Department of Financial Services (NYDFS) announced its first enforcement action since the cybersecurity rules went into effect in March 2017. The action was brought against First American Title Insurance Co. as a result of a 2018 data breach exposing 850 million customer records containing sensitive personal information.

NYDFS charged First American with violating six provisions of the Cybersecurity Regulation, arguing that, among other violations, First American:

  • failed to utilize risk assessments, security reviews, and its own cybersecurity policies when investigating the vulnerability and sensitive data associated with the vulnerability;
  • misclassified the vulnerability as a “low” severity, and subsequently failed to investigate under the criteria set forth in its cybersecurity policies;
  • did not conduct a reasonable investigation into the vulnerability even after its detection in December 2018, and instead only reviewed 10 of the millions of exposed documents; and
  • failed to follow the advice of its own in-house cybersecurity team to further investigate and remedy the vulnerability.

The statement of charges highlight the NYDFS’s cybersecurity concerns. Namely that a company: (i) encrypt documents containing non-public information (NPI); (ii) limit user access to NPI through access controls, and (iii) provide regular cybersecurity awareness training, as required by the regulations. The NYDFS is seeking civil monetary penalties and an order to remedy the alleged violations, and a hearing is set for October 26.

The NYDFS is not alone in its pursuit to hold companies accountable for what it perceives are failures to implement adequate cybersecurity measures and adequately respond to data incidents. The New York Attorney General’s office has similarly recently pursued enforcement actions against companies the AG’s office believes have failed to adequately respond to data incidents and address cybersecurity, with the settlement of at least one such enforcement action requiring augmentation of cybersecurity practices, detailed incident response procedures, and the payment of fines.

Putting it Into Practice: The enforcement action highlights the importance that should be placed on properly assessing and categorizing the severity of risks associated with cybersecurity vulnerabilities and taking swift and necessary action to respond to such risks. It also serves as a reminder of the expectation that companies have, test, and internal policies and procedures for incident response. Lastly, employees responsible for addressing remediation items identified in the aftermath of a security incident should be armed with appropriate resources and background to effectuate change. Without measured, proactive attention to cybersecurity and incident response, companies could face enforcement actions and fines and penalties following the disclosure of a data breach.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.