July 22, 2020
DEPARTMENT OF FINANCIAL SERVICES ANNOUNCES CYBERSECURITY CHARGES AGAINST A LEADING TITLE INSURANCE PROVIDER FOR EXPOSING MILLIONS OF DOCUMENTS WITH CONSUMERS' PERSONAL INFORMATION
First Cybersecurity Enforcement Action Filed by the Department of Financial Services
The New York State Department of Financial Services (DFS) today filed a statement of charges against First American Title Insurance Company. DFS alleges that First American exposed hundreds of millions of documents, millions of which contained consumers’ sensitive personal information (“Nonpublic Information”) including bank account numbers, mortgage and tax records, Social Security Numbers, wire transaction receipts, and drivers’ license images. These charges are the first to be filed alleging violations of DFS’s Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations.
First American Title Insurance Company is one of the largest providers of title insurance in the United States. In 2019, First American wrote more than 50,000 policies in New York State.
In the statement of charges announced today, the Department alleges that a vulnerability in First American's information systems resulted in exposure of consumers’ sensitive personal information over the course of several years, and First American failed to remedy the exposure promptly after it was discovered in December 2018.
DFS alleges multiple failures in First American's handling of this extraordinary data exposure of sensitive consumer information, including:
First American failed to follow its own policies, neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;
First American misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American's internal cybersecurity policies;
after the data exposure was discovered by an internal penetration test in December 2018, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and
the title insurer failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
DFS alleges that these errors, deficient controls, and other flaws in First American’s cybersecurity practices led to the data exposure that persisted for years, including months after it was discovered.
According to the statement of charges, First American violated six provisions of the Cybersecurity Regulation. The Cybersecurity Regulation is implemented pursuant to Section 408 of the Financial Services Law. Any violation of Section 408 with respect to a financial product or service, which includes title insurance, carries penalties of up to $1,000 per violation. DFS alleges that each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.
A full copy of the statement of charges and Notice of Hearing can be found on the DFS website.
DFS’s Cybersecurity Regulation became effective in March 2017. The Cybersecurity Regulation was drafted with substantial industry input: DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of those surveyed and cybersecurity experts during the drafting period, and granted two rounds of notice and comment. Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019. The Regulation grants particular exemptions for smaller businesses.
DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, and the National Association of Insurance Commissioners (NAIC).
In 2019, Superintendent Linda A. Lacewell created the DFS Cybersecurity Division, a first of its kind for a financial industry regulator, placing the newly-created Division on equal footing with the Banking, Insurance, and Consumer Protection and Financial Enforcement Divisions.