The New York State Department of Financial Services today filed charges against First American Title Insurance Co., claiming the company exposed millions of documents containing personal information of clients.
The charges are the first under the state's cybersecurity regulations adopted in 2017.
The department alleged that First American exposed consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images.
First American is one of the largest providers of title insurance in the United States, DFS said in a news release. In 2019, First American wrote more than 50,000 policies in New York State.
A vulnerability in First American's information systems resulted in exposure of consumers’ sensitive personal information over the course of several years, and First American failed to remedy the exposure promptly after it was discovered in December 2018, the state said in court documents.
DFS alleged multiple failures in First American's handling of this extraordinary data exposure of sensitive consumer information, including:
• First American failed to follow its own policies, neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;
• First American misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American's internal cybersecurity policies;
• after the data exposure was discovered by an internal penetration test in December 2018, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and
• the title insurer failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
DFS alleged that these errors, deficient controls, and other flaws in First American’s cybersecurity practices led to the data exposure that persisted for years, including months after it was discovered.
According to the statement of charges, First American violated six provisions of the Cybersecurity Regulation. DFS alleges that each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.
A hearing on the charges will be held at the office of the Department of Financial Services in New York City, beginning on Oct. 26.
New York’s cybersecurity regulation went into effect in March 2017. Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019. The regulation grants particular exemptions for smaller businesses.
In public comments, DFS Superintendent Linda A. Lacewell has repeatedly said “Cybersecurity is the biggest threat to government and industry bar none” and has emphasized the DFS cybersecurity regulation will be enforced.
The regulation went on to become a model for other states, and ultimately formed the basis of a national model law passed by the National Association of Insurance Commissioners.