By Paul Lanois, SSCP, CIPP, CIPT, CIPM

On Tuesday, July 21, 2020, the New York Department of Financial Services (NYDFS) announced that it has brought its first enforcement action pursuant to the NYDFS Cybersecurity Regulation against a large title insurer, First American Title Insurance Company (“the Company”), alleging multiple failures to protect their consumers’ sensitive personal information.

According to the Statement of Charges and Notice of Hearing issued by the NYDFS, the Company maintained a database with millions of documents containing sensitive personal information, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images. As of May 2019, the NYDFS alleged that the database contained more than 850 million documents, a large portion of which included sensitive personal information.

The Statement of Charges further alleged that the Company maintained a web-based document delivery application through which title agents and Company employees could access documents in the database and share them with outside parties as part of real estate transactions. The application would allow title agents and Company employees to email a participant of a real estate transaction a URL that would allow the recipient of such email access to relevant documents. Anyone who had the link or the URL for the website could access the documents without any login or authentication.

The NYDFS alleges that following a software update in October 2014, a vulnerability was created in the document delivery application that led to more than 850 million documents being accessible to anyone, including sensitive personal information that, according to the NYDFS, “could be used by fraudsters to engage in identity theft and even outright theft of assets.” According to the Statement of Charges, any person could simply change the ImageDocumentID number in the URL by one or more digits to view the document corresponding to the revised ImageDocumentID, regardless of whether the viewer was in fact authorized access to those documents.

The NYDFS contends that the Company discovered the vulnerability and data exposure after it carried out a penetration test in December 2018 but did not remedy the vulnerability until May 2019. The Statement of Charges alleges the following failures in the Company’s vulnerability remediation program and the handling of the data exposure:

• The Company allegedly failed to follow its own security policies by neglecting to conduct a security overview report for each application and a risk assessment for data stored or transmitted by any application. The Company had not performed any security overview or risk assessment in relation to its web-based document delivery system.
• The Company allegedly misclassified the vulnerability as “medium severity” due to the mistaken belief that the document delivery system could not transmit personal information.
• The Company allegedly conducted an “unacceptably minimal review of exposed documents, and thereby failed to recognize the seriousness of the security lapse” as the Cyber Defense Team reviewed only ten documents out of the hundreds of millions of documents which were exposed.
• The Company allegedly failed to heed advice proffered by its own in-house cybersecurity experts: the Cyber Defense Team had recommended that the team responsible for the document delivery system conduct further review to determine if the vulnerability can expose sensitive documents.
• The Company allegedly failed to adhere to its own internal policies when it delayed addressing the software’s vulnerability for six months (the Company’s internal policy required a remediation within 90 days even for “low severity” vulnerabilities).
• The Company allegedly assigned the remediation to an “unqualified employee” according to the Statement of Charges (i.e. a new employee with little experience in data security) who was also never given a copy of the penetration test report detailing the vulnerability that he was supposed to remediate.
• The Company’s database and document delivery system allegedly lacked adequate controls to protect personal information.

The NYDFS is seeking civil monetary penalties, an order requiring the Company to remedy the alleged violations, and any other relief deemed just and appropriate.

While the Statement of Charges does not indicate how the total penalty should be calculated or provide any information on the number of New York residents affected by the incident, the Cybersecurity Regulations carry penalties of up to $1,000 per violation. The NYDFS further alleges that each instance of personal information encompassed within the charges is a separate violation carrying up to $1,000 in penalties per violation, which means that the penalty imposed on the Company may be significant.

So what are the key takeaways of this case? It appears that in addition to ensuring that organizations implement appropriate cybersecurity policies and procedures, regulators are verifying that organizations actually comply with the terms of such internal policies and procedures. Indeed, the Statement of Charges alleges that the Company did not act in accordance with its own policies by failing to remedy the vulnerability in accordance with the timeframes that the Company itself set out in its internal policies. The NYDFS also flagged that the Company did not follow the recommendations of its cybersecurity personnel to conduct further review and investigate the vulnerability.

Interestingly, the NYDFS does not mention in the Statement of Charges if it is aware of any identity theft, fraud or other incident using the vulnerability. This could suggest that the NYDFS intends to bring enforcement actions pursuant to its Cybersecurity Regulation even in the absence of concrete evidence of a specific or direct harm suffered by a New York resident or even any consumer based in New York.

The NYDFS further indicated that a hearing on these alleged violations will take place on October 26, 2020.