In July 2020, the New York State Department of Financial Services (NYDFS) filed the first enforcement action under the new NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500), against First American Title Insurance Company (First American), a leading title insurance provider.
Part 500, which went into effect in March 2019, is a set of regulations that places new cybersecurity requirements on financial institutions regulated by NYDFS. Pursuant to Part 500, covered financial institutions must establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of non-public information (NPI). Covered entities must also maintain policies and procedures to protect the privacy of consumer data.
The Statement of Charges filed by NYDFS alleged that First American did not maintain adequate internal controls to protect NPI. Furthermore, NYDFS alleged that First American exposed numerous documents containing consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and drivers’ license images.
More specifically, NYDFS alleged that a “known vulnerability” in First American’s information systems resulted in exposure of NPI via the company’s public-facing website. According to the Statement of Charges, in 2014, First American updated an internal system and inadvertently created access to loan documents — without any login or authentication — through a public URL. NYDFS also alleged that an internal penetration test identified the vulnerability in December 2018, but First American failed to properly and timely remediate it.
The NYDFS Statement of Charges alleges six different violations of Part 500:
In the wake of NYDFS’s enforcement action, First American publicly stated that it “strongly disagrees” with the charges. A hearing is scheduled for October 26, 2020, to determine whether the alleged violations occurred and “whether civil monetary penalties shall be imposed and other appropriate relief be granted.” According to NYDFS, each instance of NPI “encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.”
The charges against First American are notable because they indicate that NYDFS intends to aggressively pursue and enforce what it perceives to be violations of Part 500. The case is particularly significant because, while there are allegations that consumer data was exposed, there are no allegations of a wholesale data breach or that any consumers were actually harmed by First American’s alleged violations. The willingness to bring an enforcement action under these circumstances further indicates how aggressively NYDFS intends to enforce Part 500. Finally, if the charges are proven, it will be interesting to see whether NYDFS actually seeks to impose a $1,000 penalty for each violation of Part 500. To the extent that NYDFS takes this position, the fine imposed could be significant.
This enforcement action serves as an important reminder to financial services companies regulated by NYDFS to ensure that they are in compliance with Part 500. Regulated entities must ensure that they are not only creating effective cybersecurity policies and procedures, but also that they are following, implementing, and modifying these policies and procedures on a regular basis.
Regulated entities would be wise to pay heed to the following recommendations: