In a landmark legal case that could test cybersecurity regulations and associated penalties, The New York State Department of Financial Services (DFS) has filed cybersecurity charges against First American Title Insurance Company, one of the largest providers of title insurance in the United States.
This marks the first time DFS has filed cybersecurity charges that allege an organization violated its Cybersecurity Regulation, according to a prepared statement.
The case is of particular note to MSSPs (managed security services providers) and IT consulting firms that support financial services firms in New York. Moreover, attorneys general from other states are watching the case to see how well cybersecurity regulations -- and associated financial penalties -- hold up in court.
DFS alleges that a security vulnerability in First American's information systems led to the exposure of consumers' sensitive personal information over the course of several years. It also claims that First American failed to remedy the exposure after it was discovered in December 2018.
A Closer Look at DFS's Cybersecurity Charges Against First American
DFS alleges that First American did not comply with provisions of its Cybersecurity Regulation, including:
- Security Review: First American ignored its internal cybersecurity policies and did not conduct a security review and a risk assessment after it discovered that consumer data was exposed.
- Vulnerability Classification: First American misclassified a security vulnerability as "low" and did not investigate the vulnerability within the time frame dictated by its internal cybersecurity policies.
- Investigation: First American discovered the security vulnerability after an initial penetration test in December 2018, but it did not conduct a reasonable investigation into the scope and cause of the exposure. In addition, First American ignored the recommendations of its internal cybersecurity team to further investigate the vulnerability.
First American violated six provisions of the Cybersecurity Regulation, DFS alleges. Any violation of Section 408 of this regulation with respect to a financial product or service carries penalties of up to $1,000 per violation, and each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.
Next Steps: October Hearing
DFS will host a hearing regarding the cybersecurity charges against First American on Oct. 26, 2020.
The New York State Department of Financial Services (DFS) alleges that First American Title Insurance Company put its customers' sensitive data in danger.
