The enforcement action, against First American Title Insurance Company (First American), alleges that vulnerability management lapses resulted in the exposure of more than 850 million customer records maintained by First American during a 2018 data breach. Some of the compromised customer records contained sensitive nonpublic information (NPI), including Social Security numbers, mortgage and tax records, driver's license images, and bank account numbers and statements. Although First American had initially detected vulnerabilities during a 2018 penetration test, the enforcement action argues that it failed to conduct a reasonable investigation into the nature and scope of the vulnerabilities and adopt appropriate compensating controls. NYDFS concluded that First American’s flawed cybersecurity program and deficient controls permitted the ongoing exposure of data over a period of years, including well after it was detected.

NYDFS charged First American with violating six provisions of the Cybersecurity Regulation, arguing that, among other violations, First American:

• failed to utilize risk assessments, security reviews, and its own cybersecurity policies when investigating the vulnerability and sensitive data associated with the vulnerability;
• underestimated the vulnerability as a "low" severity, and subsequently failed to investigate under the criteria set forth in its cybersecurity policies;
• did not conduct a reasonable investigation into the vulnerability even after its detection in December 2018, and instead only reviewed 10 of the millions of exposed documents; and
• failed to follow the advice of its own in-house cybersecurity team to further investigate and remedy the vulnerability.

NYDFS is seeking civil monetary penalties and an order to remedy the alleged violations. The Cybersecurity Regulation allows for civil monetary penalties under Section 408 of the Financial Services Law (Section 408).

NYDFS has not offered clear guidance on what constitutes "a violation," particularly with respect to the exposure of NPI. Section 408 only notes, in relevant part, that NYDFS can levy a penalty not to exceed $1,000 per violation of Section 408 with respect to a financial product or service. NYDFS has also not indicated how it will calculate the penalties, leaving several possibilities for defining “a violation,” including: (1) days during which the vulnerability existed, (2) number of New York residents affected, (3) number of total individuals affected, or (4) each incident constituting a single violation. Depending on the methodology, potential civil monetary penalties could range from figures in the thousands to the billions of dollars.

The enforcement action against First American underscores the importance of regularly reviewing an organization’s existing cybersecurity program to help ensure compliance with all applicable laws and regulations and suggests that NYDFS has indeed transitioned into enforcement mode three years after the Cybersecurity Regulation was adopted. Rooted in NYDFS’ allegations against First American is the importance of a robust vulnerability management program, including regular assessments, assigning an appropriate classification to identified vulnerabilities given an organization’s size and the type of sensitive information involved, and corresponding remediation plans that are tracked to completion. For organizations that regularly conduct risk assessments, it is equally important that there are documented measures addressing the risks and vulnerabilities identified, with a corresponding roadmap and timeline to address such items. Performing these actions can help organizations maintain resilient cybersecurity programs and improve overall cybersecurity incident preparedness while also reducing legal risk.

*Jocelyn Hassel, a summer associate in our New York office, contributed to this entry.

Authored by: Peter Marta, Tim Tobin, Paul Otto, Morgan Perna, and Asmaa Awad-Farid.