NYDFS Announces Enforcement Action Against Major Title Underwriter for Cyber Breach, First Ever

On July 21, 2020, the New York Department of Financial Services (NYDFS) announced that it had filed its first enforcement action under New York’s Cyber Security Regulation (23 NYCRR 500) against a large title insurance provider. Although the company is not named the fact pattern closely resembles the widely reported breach experienced by First American Title Company that allegedly occurred back in 2014 but was only discovered in 2018.  The name of the targeted company has not been verified by us at this time,  although some others are naming names (see link at the end of this post).
According to the Statement of Charges and Notice of Hearing, this title insurance company, which operates in New York,  maintained a database with millions of documents containing sensitive personal information, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images.  The Company also maintained a web-based document delivery application through which title agents and Company employees could access documents in the database and share them with outside parties as part of real estate transactions.  To share documents, the agent or employee would email a participant of the real estate transaction a URL that would allow access to the document.  Anyone who was provided with the link or the URL could access the document without a further authentication measure. The alleged breach, according the NYDFS, was not fully remediated until May 2019.

The NYDFS action asserts that the Chief Information Security Officer at the title insurer “disavowed ownership of the issue” by not adopting appropriate controls because such controls were not seen as the responsibility of the Company’s information security department and further that rather than the Company implementing “centralized and coordinated training” on security procedures, it charged individual business units with enforcing and training users on such procedures.

 

The Company allegedly violated the following sections of the state regulation:

  • 500.02 (Cybersecurity Program) by failing to conduct risk assessments for nonpublic information stored and transmitted within its system, including in its database and web application;
  • 500.03 (Cybersecurity Policy) by not (i) maintaining and implementing data governance and classification policies and (ii) maintaining an “appropriate, risk-based policy governing access controls” for its application;
  • 500.07 (Access Privileges) by not implementing reasonable access controls and instead allowing unauthorized remote users to gain access to nonpublic information in the Company’s database;
  • 500.09 (Risk Assessment) by not conducting a risk assessment sufficient to inform the Company’s cybersecurity program, particularly given the Company’s alleged “failure to identify where [nonpublic information] was stored and transmitted through its Information Systems” and the availability and effectiveness of its controls;
  • 500.14(b) (Training and Monitoring) by not providing adequate data security training to the Company’s personnel responsible for identifying and uploading sensitive documents to the Company’s database and using its web application; and
  • 500.15 (Encryption of Nonpublic Information) by failing to implement controls, including encryption, and adopt compensating controls required to be approved by the Company’s CISO to protect nonpublic information.

A hearing is scheduled to commence on the matter on October 26, 2020 and hear evidence whether the title company violated the regulation.  If violations are found, the company could face severe civil monetary penalties. Since it is alleged than more than 350,000 records may have been compromised, and the Regulation allows the NYDFS to assess a penalty of up to $1,000 per violation, a fine could be very significant.

For more information see this article in Compliance Week, which does name FATCO as the target.  https://www.complianceweek.com/cyber-security/first-american-first-charged-with-nydfs-cyber-regulation-abuses/29221.article

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s