On July 21, 2020, the New York Department of Financial Services (NYDFS) announced that it had filed its first enforcement action under 23 NYCRR 500 (the “Cybersecurity Regulation”) against First American Title Insurance (the “Company”), a large title insurance provider.
According to NYDFS’ Statement of Charges and Notice of Hearing (the “Statement”), the Company maintained a database with tens of millions of documents that included sensitive personal information, such as Social Security numbers, bank account information and mortgage and tax records. The Company also maintained a web-based title document delivery application that allowed certain individuals to access and share documents from the database with outside parties. As a result of a 2014 software update, the Company allegedly created a vulnerability in the document delivery application that led to the exposure of more than 850 million documents, many of which contained sensitive nonpublic personal information (NPI), including financial information, of consumers. NYDFS contends that the Company discovered the vulnerability and data exposure in a penetration test carried out in December 2018 but did not remedy the vulnerability until May 2019, when a security reporter reported on the vulnerability.
NYDFS alleges that the vulnerability and resulting exposure of NPI, caused in part by lack of reasonable access controls, was further compounded by a series of errors and flaws in the Company’s cybersecurity program and remediation. NYDFS further alleges that the Company’s actions and/or practices amounted to the following six violations of the Cybersecurity Regulation:
Support the originator by clicking the read the rest link below.
