On July 21, 2020, the New York Department of Financial Services (NYDFS) announced that it had filed its first enforcement action under 23 NYCRR 500 (the « Cybersecurity Regulation ») against First American Title Insurance (the « Company »), a large title insurance provider.
According to NYDFS’ Statement of Charges and Notice of Hearing (the « Statement »), the Company maintained a database with tens of millions of documents that included sensitive personal information, such as Social Security numbers, bank account information and mortgage and tax records. The Company also maintained a web-based title document delivery application that allowed certain individuals to access and share documents from the database with outside parties. As a result of a 2014 software update, the Company allegedly created a vulnerability in the document delivery application that led to the exposure of more than 850 million documents, many of which contained sensitive nonpublic personal information (NPI), including financial information, of consumers. NYDFS contends that the Company discovered the vulnerability and data exposure in a penetration test carried out in December 2018 but did not remedy the vulnerability until May 2019, when a security reporter reported on the vulnerability.
NYDFS alleges that the vulnerability and resulting exposure of NPI, caused in part by lack of reasonable access controls, was further compounded by a series of errors and flaws in the Company’s cybersecurity program and remediation. NYDFS further alleges that the Company’s actions and/or practices amounted to the following six violations of the Cybersecurity Regulation:
Failure to conduct a risk assessment for data stored in its database and document delivery application in violation of 23 NYCRR 500.02;
Failure to maintain and implement data governance and classification policies that were appropriate to the Company’s business model and risks in violation of 23 NYCRR 500.03;
Failure to limit user access privileges to information systems that provide access to NPI and periodic review of such access privileges in violation of 23 NYCRR 500.07;
Failure to conduct periodic risk assessments that were sufficient to inform the design of the cybersecurity program in violation of 23 NYCRR 500.09;
Failure to provide regular cybersecurity awareness training updated to reflect risks identified in the annual risk assessment to employees and affiliated title agents in violation of 23 NYCRR 500.14;
Failure to implement controls, including encryption, to protect NPI held or transmitted both in transit over external networks and at rest in violation of 23 NYCRR 500.15.
NYDFS is seeking civil monetary penalties, an order for the Company to remedy any violations and other just relief as is so ordered. While the Statement does not indicate how the total penalty may be calculated or the number of New York residents potentially impacted, NYDFS may seek a penalty of up to $1,000 per violation under New York law. The NYDFS has stated that each instance of NPI encompassed within the charges is a separate violation, meaning the monetary penalty could potentially be significant. NYDFS will hold a hearing on these alleged violations on October 26, 2020.
Covered entities should closely monitor this enforcement action. It not only provides key insights into NYDFS’ enforcement priorities and expectations but also may provide guidance in relation to obligations under insurance data security laws that are increasingly being adopted by states across the United States.
The Statement does not allege direct harm to New York (or other) consumers, which further illustrates the importance of adhering to the letter and spirit of the Cybersecurity Regulation, because potential enforcement action under the Cybersecurity Regulation need not be based on actual consumer harm.
Key insights include:
Follow Policies and Procedures Informed by Risk Assessments NYDFS makes clear with this enforcement action that cybersecurity is not simply a paper exercise. It is crucial that covered entities not only implement cybersecurity policies and procedures but that they follow such policies and procedures. Cybersecurity policies and procedures must be informed by comprehensive risk assessments carried out by individuals well versed in the entity’s systems and the data being collected. Covered entities must also act in accordance with their cybersecurity policies and procedures, including in remedying any vulnerabilities or deficiencies identified by a risk assessment.
According to the Statement, the Company allegedly failed on multiple fronts, both in designing its cybersecurity policies and procedures and by failing to act in accordance with such policies and procedures. The Company’s cybersecurity policies required a security overview report for each application and a risk assessment for data stored or transmitted by any application. NYDFS contends the Company failed to perform a security overview or risk assessment for its document delivery application, and as a result, after the discovery of the vulnerability, the Company failed to identify that NPI was being stored and transmitted through the application, contributing to the misclassification of the severity of the vulnerability and data exposure.
The Statement further alleges the Company did not: (i) act in accordance with its cybersecurity policies and procedures by failing to remedy the vulnerability in accordance with the time periods set out in its policies; (ii) follow the recommendations of its cybersecurity personnel to conduct further review and investigation of the vulnerability; and (iii) act to improve the process for tagging documents with NPI to prevent their release, despite being aware that the process was « highly prone to error » and that potentially millions of documents were incorrectly tagged and thus exposed.
Remediate Significant Vulnerabilities Quickly Once a vulnerability is identified, covered entities must act quickly to appropriately classify and remediate the vulnerability. Covered entities must involve the appropriate personnel in the response, and there must be accountability for the remediation.
The Statement accuses the Company’s Cyber Defense team of incorrectly classifying the vulnerability as « medium severity » based on the mistaken belief that the document delivery application did not transmit NPI. (The Statement also alleges the vulnerability was inadvertently reclassified as « low severity » in the vulnerability tracking system, further delaying the time in which the vulnerability was corrected.) NYDFS contends this improper classification was further compounded by the Company’s « willful failure » to remediate the vulnerability for six months after it was discovered, allowing « unfettered access » to millions of documents with NPI until June 2019. The Company also allegedly assigned remediation to a new employee with little security experience and did not provide the employee with the penetration test report detailing the vulnerability, information about the severity of the vulnerability or applicable policies for security and remediation.
Conduct a Reasonable Review Once a vulnerability is discovered, a covered entity must conduct a reasonable investigation. NYDFS will assess the reasonableness of a covered entity’s investigation and remediation of a vulnerability.
The Statement alleges that, after the penetration test report identified the vulnerability and potential data exposure, the Company did not reasonably investigate, reviewing only 10 documents, none of which included NPI, despite knowing that hundreds of millions of documents may have been exposed. NYDFS describes this review as a « preposterously minimal review, » alleging that its inadequacy contributed to the Company failing to understand the severity of the risk and the sheer volume and sensitivity of the NPI that may have been exposed.
Undertake Cybersecurity Awareness Training Covered entities must provide regular cybersecurity awareness training for all personnel. Covered entities must also carefully consider who should receive training, including, for example, agents that have access to a covered entity’s systems or databases.
The Company allegedly failed to adequately provide cybersecurity awareness training. NYDFS further alleges that senior employees involved with the information systems lacked knowledge of whether the document delivery application included NPI. Additionally, NYDFS alleges the Company did not provide cybersecurity awareness training to affiliated title agents despite them being able to access its systems and documents.