On July 21, the New York Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for violating multiple sections of the New York Cybersecurity Regulation, 23 NYCRR 500.00, et seq. The significance of the NYDFS enforcement action cannot be overemphasized. This is the first action filed under the Cybersecurity Regulation, signaling a more aggressive enforcement stance by the regulator. The good news is the filings provide important guidance on best practices and red flags to avoid agency sanctions.
The NYDFS Statement of Charges alleges that First American knowingly exposed tens of millions of documents containing consumer sensitive personal information (e.g., bank account numbers, bank statements, mortgage records, Social Security numbers, wire transaction receipts, drivers’ license images, etc.). The charges further allege that for almost 5 years (from October 2014 through May 2019) these records were available on First American’s public-facing website to anyone with a web browser. The fact that First American failed to remediate the vulnerability, even after it was discovered by a penetration test in December 2018, was particularly troublesome for the regulators. The charges state that, “Remarkably, [First American] allowed unfettered access to the personal and financial data of millions of its customers for six more months. . .” Clearly, the NYDFS found this treatment of sensitive consumer data unconscionable and that First American demonstrated a total disregard for the Cyber Regulations.
First American’s specific violations include:
- Failure to maintain a cybersecurity program to protect the confidentiality, integrity and availability of sensitive information in violation of 23 NYCRR 500.02;
- Failure to maintain a management approved information security policy and related procedures in violation of 23 NYCRR 500.03;
- Failure to implement appropriate user access privileges and restrictions in violation of 23 NYCRR 500.07;
- Failure to conduct periodic risk assessments for input to the cybersecurity program in violation of 23 NYCRR 500.09;
- Failure to adequately train personnel and update training to reflect new identified risks in violation of NYCRR 500.14(b); and
- Failure to implement security controls, particularly encryption, to protect sensitive and non-public personal information (“NPI”) in violation of NYCRR 500.15.
The NYDFS Statement of Charges provides a best practices roadmap for covered entities. Based on the First American filing, every entity regulated by the NYDFS should:
- Develop and maintain a cybersecurity program based on regular risk assessments that identify and assess internal and external cyber risks that may threaten the security or integrity of NPI;
- Implement senior management-approved data governance and classification policies for the protection of NPI that includes access controls and encryption, suitable to the business model and associated risks;
- Perform periodic reviews of all access rights and control, including pre-approved lists;
- Train employees on the entity’s cybersecurity program and update training for newly identified risks and information system upgrades; and
- Encrypt sensitive data in transit and at rest.
Further guidance and best practices will undoubtedly be available as the NYDFS engages in further enforcement actions. For now, the First American action provides a wealth of information for covered entities seeking to avoid violations of the Cyber Regulations.