Despite the attention the New York Department of Financial Services (“DFS”) Cybersecurity Regulation attracted when it took effect in March 2017, the number of enforcement actions brought by DFS under the regulation stood at zero until recently. On July 22, 2020, DFS brought an enforcement action against First American Title Insurance Company, one of the largest insurance providers in the United States, for violations of the Regulation. This is the first enforcement action brought by the DFS pursuant to the Regulation and serves as an important reminder to those entities covered by the Regulation to remain vigilant and in compliance because they are vulnerable to fines and prosecution for cybersecurity violations even where no documented injury exists.
Background: DFS Cybersecurity Regulation
The DFS Cybersecurity Regulation, which we summarized in our January 2017 Client Advisory, protects New York’s financial services industry from the threat of cybersecurity attacks by requiring the institutions subject to its jurisdiction to establish and maintain a cybersecurity program that applies to information systems, including electronic information and electronic information processing systems in order to safeguard nonpublic information (“NPI”) within their control. The Regulation applies to all “Covered Entities”—which includes banks, insurance companies, mortgage lenders and brokers, credit reporting agencies, and financial services institutions, all of which have been increasingly vulnerable to the threat of cyber criminals and their attacks in recent years.
The Regulation was the first of its kind in the United States and has served as a model for other industries and jurisdictions. Fully implemented in 2019, the Regulation requires Covered Entities to adopt specific cybersecurity policies and procedures based on comprehensive risk assessments in order to protect NPI. In addition to requiring performance of risk assessments to determine internal vulnerabilities, the regulation also requires Covered Entities to: i) conduct employee training; ii) maintain adequate recordkeeping, effective cybersecurity controls and governance procedures; iii) record audit results; iv) adopt cybersecurity policies and incident response plans; and v) properly vet and manage third-party vendors.
The Enforcement Proceeding and Charges
According to the Statement of Charges and Notice of Hearing issued by DFS, First American exposed tens of millions of documents that contained NPI over the course of a five-year period due to a vulnerability in its website. The exposed NPI consisted of social security numbers, drivers’ license numbers, bank account numbers, and mortgage and tax information, all of which was stored in First American’s proprietary document management network and transmitted through First American’s web-based title document delivery system. During the period of vulnerability, documents in the system were sequentially numbered, users were not required to verify their identities, and any person with a link to the system was able to access other documents available through the platform by changing one digit in the URL. As a result, unauthorized individuals were able to access sensitive information and view documents containing NPI, including potential fraudsters.
First American initially discovered this vulnerability during a penetration test in December 2018 and issued a report in January 2019 describing its findings. However, according to the Statement of Charges, First American did not remedy this vulnerability for at least six months following the issuance of the report and allowed personal data of customers to remain accessible to unauthorized third parties.
Interestingly, there was no reported or apparent breach or data theft incident in this case. Apparently, DFS learned about First American’s systems vulnerabilities through a web media report posted in May 2019 after the media entity was contacted by a real estate developer who did not receive a response from First American after reporting the vulnerability.
In addition to the fact that First American’s system vulnerabilities remained unaddressed for a number of years, resulting in data exposure from at least October 2014 through May 2019, the Statement of Charges identifies that First American failed to:
- properly estimate the level of severity associated with the discovered vulnerability by failing to accurately categorize the risk level as “high”;
- follow its own cybersecurity policies by neglecting to conduct a security overview or risk assessment of its title document delivery system;
- investigate the vulnerability within the timeframe dictated by its own internal cybersecurity policies;
- conduct a reasonable investigation into the scope and cause of the vulnerability after it was discovered by an internal penetration test in December 2018, thereby significantly underestimating the seriousness of the vulnerability;
- follow the recommendations of its own internal cybersecurity team to conduct further investigation into the vulnerability; and
- assign remediation efforts to a properly qualified employee. The employee tasked with remediation had little data security experience and was offered little support in carrying out his or her responsibilities.
The Hearing and Related Litigation
A DFS hearing on this matter has been scheduled for October 26, 2020. First American faces potential penalties of up to $1,000 per instance of exposed NPI, which, based on the DFS’s charges, could result in a significant total penalty amount. First American has publicly stated that it disagrees with the DFS findings.
In addition to the enforcement action, after the vulnerabilities were reported by the media in May 2019, a class action was commenced in the United States District Court for the Central District of California on behalf of persons who bought and sold homes for which First American was the title insurer. The suit claims that First American violated its own cybersecurity and privacy-related promises to its consumers and seeks over $5 million in damages. In addition, according to a media report, the SEC commenced an investigation of First American to determine whether the data exposure is a violation of federal securities laws.
The upcoming hearing and enforcement proceedings regarding First American should provide insight into DFS’s enforcement priorities and potential future penalties it will seek for entities with insufficient and noncompliant cybersecurity practices.
This enforcement action should also serve as a wake-up call to all Covered Entities that the DFS plans to enforce its regulation despite the recent years of inactivity, and a reminder of the importance of regularly assessing cybersecurity compliance in order to avoid being the next DFS target. In addition, while this case did not involve a data breach, Covered Entities are reminded that they must report data breaches within 72 hours of their discovery in certain circumstances, as prescribed by the Regulation.
Those entities covered by the Regulation, as well as those not covered by the Regulation but otherwise subject to New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which went into effect on March 21, 2020, are encouraged to consult legal counsel to assist in assessing the applicability of privacy and cybersecurity regulations and laws, evaluating compliance obligations, and advising on steps to take to ensure compliance.
* * *
For more information concerning the matters discussed in this publication, please contact the authors Matthew D. Dunn (212-238-8706, firstname.lastname@example.org), John M. Griem, Jr. (212-238-8659, email@example.com), Brielle E. Kilmartin (212-238-8652, firstname.lastname@example.org), another member of Carter Ledyard’s Cybersecurity practice group, or your regular Carter Ledyard attorney.
Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. © 2020 Carter Ledyard & Milburn LLP.