On July 21, 2020, the New York State Department of Financial Services filed charges against First American Title Insurance Company, regarding violations of NYSDFS’s Cybersecurity Regulations for Financial Services Companies. These are the first charges to be filed by NYSDFS’ Consumer Protection and Financial Enforcement Section alleging violations of the Cybersecurity Regulation enacted in 2017, and portend active enforcement to come. As the Cybersecurity Regulation applies to all institutions and professionals regulated by the NYSDFS, this inaugural enforcement action should be a wake-up call to insurance companies, financial institutions and other professionals doing business in New York.
When the Consumer Protection and Financial Enforcement Section was created last year, the NYSDFS noted that it would have a “particular focus on the review and response to cybersecurity events.” The Cybersecurity Regulation which is being enforced by this action requires regulated entities and professionals to have a robust cybersecurity program in place to protect consumers' private data, including written policies approved by the Board of Directors, appointment of a Chief Information Security Officer, and security controls including encryption and multifactor authentication, as well as comprehensive training and monitoring for all employees and other users with respect to data security.
The NYSDFS alleges that First American’s violation of the Cybersecurity Regulation stems from a vulnerability on its public website which for over four years exposed tens of millions of records that contained consumers’ sensitive personal information including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images. The charges also cite to a failure to encrypt documents that First American knew to contain sensitive information a serious lack of urgency by First American to remedy the website vulnerability, even after its own cybersecurity team recommended changes to the website in January 2019.
The NYSDFS further alleges that First American’s senior management’s rejection of recommendations by it’s incident response team constitutes violations of the Cybersecurity Regulation. Specifically, recommendations to limit access to authenticated users, disallow transmission of documents containing sensitive information through unsecured links, and conduct a scan for documents containing sensitive information, were all rejected by First American’s management and form the basis for some of NYSDFS’ charges. The charges allege that controls put in place by First American instructing users not to send sensitive information, and discretionary employee trainings on the website vulnerability, are neither proportional or appropriate to address the vulnerability. The Cybersecurity Regulation carries penalties up to $1,000 per violation, and each instance of a record exposure could constitute a separate violation. A significant penalty could be in store.
This case is a meaningful precedent for the Cybersecurity Regulation’s enforcement in New York and an instructive tool for boards and management in developing and implementing cybersecurity risk assessments and cyber response policies. In particular, the charges underscore the importance of conducting regular risk assessments of software applications and ensuring that the scope of such assessments is proportional to the application at issue. Even after an issue has been detected, cyber incident response efforts are of equal, if not greater consequence, and should encompass not just the actual exposure but the potential for exposure. Adherence to cyber response policies and recommendations of cyber incident response teams is critical in today’s environment. Cyber insurance is a necessary component of cybersecurity preparedness, and increasingly covers many of these prophylactic measures, as well as post-incident remediation. With New York and other states around the country stepping up their enforcement of cybersecurity regulations, many of which carry hefty fines, companies and professionals need to prioritize the safety and security of their clients, customers, and employees personal data.