The NYDFS action asserts that the Chief Information Security Officer at the title insurer “disavowed ownership of the issue” by not adopting appropriate controls because such controls were not seen as the responsibility of the Company’s information security department and further that rather than the Company implementing “centralized and coordinated training” on security procedures, it charged individual business units with enforcing and training users on such procedures.
The Company allegedly violated the following sections of the state regulation:
- 500.02 (Cybersecurity Program) by failing to conduct risk assessments for nonpublic information stored and transmitted within its system, including in its database and web application;
- 500.03 (Cybersecurity Policy) by not (i) maintaining and implementing data governance and classification policies and (ii) maintaining an “appropriate, risk-based policy governing access controls” for its application;
- 500.07 (Access Privileges) by not implementing reasonable access controls and instead allowing unauthorized remote users to gain access to nonpublic information in the Company’s database;
- 500.09 (Risk Assessment) by not conducting a risk assessment sufficient to inform the Company’s cybersecurity program, particularly given the Company’s alleged “failure to identify where [nonpublic information] was stored and transmitted through its Information Systems” and the availability and effectiveness of its controls;
- 500.14(b) (Training and Monitoring) by not providing adequate data security training to the Company’s personnel responsible for identifying and uploading sensitive documents to the Company’s database and using its web application; and
- 500.15 (Encryption of Nonpublic Information) by failing to implement controls, including encryption, and adopt compensating controls required to be approved by the Company’s CISO to protect nonpublic information.
A hearing is scheduled to commence on the matter on October 26, 2020 and hear evidence whether the title company violated the regulation. If violations are found, the company could face severe civil monetary penalties. Since it is alleged than more than 350,000 records may have been compromised, and the Regulation allows the NYDFS to assess a penalty of up to $1,000 per violation, a fine could be very significant.
For more information see this article in Compliance Week, which does name FATCO as the target. https://www.complianceweek.com/cyber-security/first-american-first-charged-with-nydfs-cyber-regulation-abuses/29221.article