News & Insights

Recent Posts

Covid-19: Assessing the Legal Risk of Infectious Diseases

WSHB Employer Alert: FFCRA and DOL Regulations 4.2.20

Employment Practices Consultation & COVID-19

It’s a No-Win Situation: The Perils Facing Hospitals Due to the Coronavirus

COVID-19 Employer Alert: Summary of the CARES Act

COVID-19: New York Malpractice Law Alert

COVID-19 Employer Alert: Enactment of Families First Coronavirus Response Act (FFCRA)

WSHB Co-Founder Stephen Henning to Announce the Winner of CLM's 2020 Outside Counsel Professional of the Year Award

WSHB Partner Robert Hellner Shares Mediation Tactics at CLM’s 2020 Annual Conference

Risk Transfer and Contractual Indemnification – Who Gets Left Holding the Bag?

New Developments in Challenging Certificates of Merit — Seeking Dismissal for Failure to Concurrently File Certificate with the Original Petition

Seven Habits that Define a Highly Effective Claims Team

Social Media Do's and Don'ts

WSHB Partner Kelly Waters Named to NJBIZ's 2020 Best Fifty Women in Business List

WSHB Names Andrew S. Kessler as Managing Partner of the Firm's Philadelphia Office

WSHB Employment Alert: California Law Banning Arbitration Agreements Temporarily on Hold

Sam McDermott on the Dos and Don’ts of Construction Project Termination

Full Disclosure! Insurer Beware: Colorado’s New Automobile Policy Disclosure Law Has Teeth!

Andrew S. Kessler Named Legal Counsel for Northeast Community Center for Behavioral Health

WSHB Elevates Ten Partners to Defined Equity Status

Eleven WSHB Attorneys Elected Into Partnership

Eighteen Attorneys Elected to WSHB Senior Counsel

Supreme Court Allows Suit Over Website Accessibility

Strategies for Defending Legionella and Mold Claims

Residential Revolution

Time Limit Demand Issues Arrive in North Carolina

Temp Agency Absolved of Liability in Hotly Contested Action

Alternative Fee Agreements and Construction Issues: Oil and Water or Perfect Pairing!?

WSHB's Graham Miller Helps Demystify Construction Claims in the Pacific Northwest

WSHB Partner Janice Michaels Named to The Best Lawyers in America© 2020 List

One Bad Apple: Navigating through Sexual Battery and other Intentional Torts

Leading Construction Litigator Cynthia Tari Joins WSHB's Dallas Office

WSHB’s Philadelphia Partner Secures Summary Judgment in Catastrophic Premises Liability Matter

WSHB Welcomes New Partner Andrew Kessler

New Bill In New York Proposed for Signature by Governor Andrew Cuomo is Set To Make Employers "SWEAT"

Renowned Litigator Jason Williams Joins WSHB's Nevada Office

Litigator Richard Young Joins WSHB's Nevada Office

Published Appellate Opinion Upholding Summary Judgment in Favor of Commercial Tenant Against $3.5M Subrogation Suit

17 WSHB Lawyers Honored as 2019's Rising Stars

Arizona Supreme Court Allows Court of Appeals Decision Expanding Defendants' Ability to Enforce Settlements to Stand

WSHB’s Jason Klein Breaks Down the Good, the Sad and the Funny Sides of Claims

Litigating Sexual Battery and Other Intentional Torts: Navigating the One Bad Apple in Medical Negligence

WSHB Partner Michelle Arbitrio to Moderate Panel on Insurance and Risk Management in the Age of Mass Shootings

Girl on Fire: The Price of Pursuing the Truth in the #MeToo World

Pragmatic Issues on Settlement Versus Trial for Legal Malpractice Cases

A Withering Assault

The Natural Progression of Natural Disasters

Nevada’s Governor Signs Chapter 40 Reform Bill

WA Condo Law Changes Hope to Curtail Frivolous Defect Lawsuits and Stimulate Production

WSHB Co-Founder Stephen Henning Steps Into the Spotlight at this Year's West Coast Casualty Seminar

Professional Liability Expert Weighs In On Protecting Your Practice From Opioid Doc Arrest Fallout

Penalties, Punitives, and Granny Cams: The Escalating Lure of Elder Abuse Litigation

Are Structured Settlements Still Relevant

Game Changing Trends Affecting Construction

He's Not My Guy: The Joint-Employer Doctrine

WSHB Case Update: DOL Proposes Increase to Minimum Salary Threshold

WSHB and DWF Announce Exclusive Association

The Coastal Fire and What it Portends for the California Fire Season Ahead

Stephen Henning Named a Finalist for RISE 2022 Mentor of the Year Award

New Agreement on MICRA Averts Ballot Box Uncertainty in November

Who to Pay? Florida Court Weighs in on Claim Payments to AOB and Insureds

First Cybersecurity Enforcement Action Filed by the New York State Department of Financial Services

August 3, 2020

On July 21, 2020, the New York State Department of Financial Services filed charges against First American Title Insurance Company, regarding violations of NYSDFS’s Cybersecurity Regulations for Financial Services Companies. These are the first charges to be filed by NYSDFS’ Consumer Protection and Financial Enforcement Section alleging violations of the Cybersecurity Regulation enacted in 2017, and portend active enforcement to come. As the Cybersecurity Regulation applies to all institutions and professionals regulated by the NYSDFS, this inaugural enforcement action should be a wake-up call to insurance companies, financial institutions and other professionals doing business in New York.

When the Consumer Protection and Financial Enforcement Section was created last year, the NYSDFS noted that it would have a “particular focus on the review and response to cybersecurity events.” The Cybersecurity Regulation which is being enforced by this action requires regulated entities and professionals to have a robust cybersecurity program in place to protect consumers’ private data, including written policies approved by the Board of Directors, appointment of a Chief Information Security Officer, and security controls including encryption and multifactor authentication, as well as comprehensive training and monitoring for all employees and other users with respect to data security.

The NYSDFS alleges that First American’s violation of the Cybersecurity Regulation stems from a vulnerability on its public website which for over four years exposed tens of millions of records that contained consumers’ sensitive personal information including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images. The charges also cite to a failure to encrypt documents that First American knew to contain sensitive information a serious lack of urgency by First American to remedy the website vulnerability, even after its own cybersecurity team recommended changes to the website in January 2019.

The NYSDFS further alleges that First American’s senior management’s rejection of recommendations by it’s incident response team constitutes violations of the Cybersecurity Regulation. Specifically, recommendations to limit access to authenticated users, disallow transmission of documents containing sensitive information through unsecured links, and conduct a scan for documents containing sensitive information, were all rejected by First American’s management and form the basis for some of NYSDFS’ charges. The charges allege that controls put in place by First American instructing users not to send sensitive information, and discretionary employee trainings on the website vulnerability, are neither proportional or appropriate to address the vulnerability. The Cybersecurity Regulation carries penalties up to $1,000 per violation, and each instance of a record exposure could constitute a separate violation. A significant penalty could be in store.

This case is a meaningful precedent for the Cybersecurity Regulation’s enforcement in New York and an instructive tool for boards and management in developing and implementing cybersecurity risk assessments and cyber response policies. In particular, the charges underscore the importance of conducting regular risk assessments of software applications and ensuring that the scope of such assessments is proportional to the application at issue. Even after an issue has been detected, cyber incident response efforts are of equal, if not greater consequence, and should encompass not just the actual exposure but the potential for exposure. Adherence to cyber response policies and recommendations of cyber incident response teams is critical in today’s environment. Cyber insurance is a necessary component of cybersecurity preparedness, and increasingly covers many of these prophylactic measures, as well as post-incident remediation. With New York and other states around the country stepping up their enforcement of cybersecurity regulations, many of which carry hefty fines, companies and professionals need to prioritize the safety and security of their clients, customers, and employees personal data.


Privacy Policy      |      Site Map

© 2022 Wood Smith Henning & Berman LLP

Subscribe to our mailing list

* indicates required