AIP - Norman Spencer
TitlePac
Register
Log In
Forget your Password?

Home
Directory
Bulletins
Forums
Blogs
Articles
Links
Classifieds
About Us
Contact Us
Advertise
FAQ
Privacy Policy


NY Dept. of Financial Services Announces Cybersecurity Charges Against First American
press release, New York Department of Financial Services
   

The New York State Department of Financial Services (DFS) today filed a statement of charges against First American Title Insurance Company. DFS alleges that First American exposed hundreds of millions of documents, millions of which contained consumers’ sensitive personal information (“Nonpublic Information”) including bank account numbers, mortgage and tax records, Social Security Numbers, wire transaction receipts, and drivers’ license images. These charges are the first to be filed alleging violations of DFS’s Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations.

First American Title Insurance Company is one of the largest providers of title insurance in the United States. In 2019, First American wrote more than 50,000 policies in New York State.

In the statement of charges announced today, the Department alleges that a vulnerability in First American's information systems resulted in exposure of consumers’ sensitive personal information over the course of several years, and First American failed to remedy the exposure promptly after it was discovered in December 2018.

DFS alleges multiple failures in First American's handling of this extraordinary data exposure of sensitive consumer information, including:

 

  • First American failed to follow its own policies, neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;

  • First American misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American's internal cybersecurity policies;

  • after the data exposure was discovered by an internal penetration test in December 2018, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and

  • the title insurer failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.

 

DFS alleges that these errors, deficient controls, and other flaws in First American’s cybersecurity practices led to the data exposure that persisted for years, including months after it was discovered.

According to the statement of charges, First American violated six provisions of the Cybersecurity Regulation. The Cybersecurity Regulation is implemented pursuant to Section 408 of the Financial Services Law. Any violation of Section 408 with respect to a financial product or service, which includes title insurance, carries penalties of up to $1,000 per violation. DFS alleges that each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.

A full copy of the statement of charges and Notice of Hearing can be found on the DFS website.

The hearing will be held at the office of the New York State Department of Financial Services, One State Street, New York, New York, beginning on October 26, 2020.

DFS’s Cybersecurity Regulationbecame effective in March 2017. The Cybersecurity Regulation was drafted with substantial industry input: DFS surveyed nearly 200 regulated banking institutions and insurance companies, met with a cross-section of those surveyed and cybersecurity experts during the drafting period, and granted two rounds of notice and comment. Additional implementation time was granted for multiple provisions, and the regulation was not fully in effect until March 2019. The Regulation grants particular exemptions for smaller businesses.

DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, and the National Association of Insurance Commissioners (NAIC).

In 2019, Superintendent Linda A. Lacewell created the DFS Cybersecurity Division, a first of its kind for a financial industry regulator, placing the newly-created Division on equal footing with the Banking, Insurance, and Consumer Protection and Financial Enforcement Divisions.



to post a comment on this article: login - or - register



Redvision (DataTrace)
Directory

The Source of Title Business directory has 8760 listed companies.

Leave feedback on a company:
SOT ID #:  learn more...
DRN Title Search
Blogs

Read other users' blogs-- or start your own!

Most Recent Blog Posts:

How You Can Conduct a Closing in Your Office
Michele Blanco's Blog
2020/05/11
0 comments

Only allowing e-recording could be a BIG problem for us
Jeanine Johnson's Blog
2020/03/23
4 comments

Hennepin County MN Only Accepting Electronic Documents at this time
Jeanine Johnson's Blog
2020/03/16
0 comments

NAILTA
Forums

Source of Title's Forums are the place for title industry discussions.
Recent posts in the forums:



Classifieds

Buy, sell, or trade! Browse the ads or post your own!

© 2020, Source of Title.