Press Release of November 28:
The New York State Department of Financial Services (DFS) today announced that First American Title Insurance Company (First American) will pay a $1 million penalty to New York State for violations of DFS’s Cybersecurity Regulation (23 NYCRR Part 500) stemming from a large-scale cybersecurity breach in May 2019. The breach contributed to the exposure of consumers’ nonpublic information. In addition to penalties, the company has agreed to implement significant remedial measures to better secure consumer data.
As the nation’s second-largest title insurance company, First American collects the personal and financial data of hundreds of thousands of individuals annually on title-related documents and stores that information in its proprietary EaglePro application. In May 2019, First American senior management learned of a vulnerability in the application whereby any individual in possession of the link used to access EaglePro could access not only their own documents without authentication, but also those of individuals in unrelated transactions.
DFS’s investigation found that, in violation of the Department’s Cybersecurity Regulation, First American failed to maintain and implement effective governance and classification, access controls and identity management, and risk assessment policies and procedures. As a result, EaglePro lacked sufficient access controls designed to prevent unauthorized users from gaining access to consumers non-public information.
DFS’s Cybersecurity Regulation became effective in March 2017, and it has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners (NAIC), and the CSBS Nonbank Model Data Security Law. In November of this year, after consultation with industry stakeholders, DFS Superintendent Adrienne A. Harris adopted amendments to the Cybersecurity Regulation designed to enhance cyber governance, mitigate risks, and strengthen protections for New York businesses and consumers against cyber threats.
To review the First American consent order, visit the DFS website.
Source: NYS DFS