LockOn July 22, 2020, New York’s Department of Financial Services (NYDFS) filed its first cybersecurity enforcement action against First American Title Insurance Company (First American), seeking civil monetary penalties for several violations of its cybersecurity regulation, 23 NYCRR §500.  Entities subject to New York’s Financial Services Law, such as First American, may be subject to a civil penalty up to $1,000 per violation or up to $5,000 per intentional violation, and according to NYDFS, each instance of unauthorized disclosure of NPI constitutes a separate violation. Therefore, an enforcement action under 23 NYCRR §500 may result in a hefty fine, particularly in the even of a large-scale data breach.

Because this is the first enforcement action brought by NYDFS since 23 NYCRR §500 came into effect, the results of this case will provide valuable insight as to what level of cybersecurity safeguards NYDFS will deem as compliant and, more importantly, what sort of penalties will result if NYDFS finds an entity noncompliant under 23 NYCRR §500.  On a practical level, it will be important for all entities subject to NYDFS regulation to review the statement of charges and consider how NYDFS would judge their own cybersecurity programs.

Allegations Against First American

NYDFS alleges that First American failed to address a known vulnerability in its information systems resulting in the exposure of consumers’ sensitive personal information (described below) over the span of several years. In its Statement of Charges, NYDFS alleges First American failed to fix a vulnerability on its public facing website that exposed millions of documents containing customer bank account numbers, mortgage records, tax records, social security numbers and other forms of personal information. Due to the vulnerability, users permitted access to documents on First American’s website via a URL address were able to access other restricted documents simply by changing a digit in the URL. Although the vulnerability is associated with an application First American updated in 2014, NYDFS is seeking enforcement starting after 23 NYCRR §500 took effect. According to NYDFS, First American’s internal Cyber Defense Team discovered the vulnerability in December 2018 during a penetration test, but failed to patch the vulnerability and failed to perform additional investigations to comprehend the scope of the deficiency and associated risks for more than six months after the discovery.

NYDFS claims First American’s lapse in remediation was due to a cascade of errors such as erroneously classifying the vulnerability as “medium severity,” tasking an unqualified new employee to patch the vulnerability (without providing such employee adequate information, i.e., the penetration test results, First American’s data security policies) and the company’s overall failure to adhere to its own internal policies. According to NYDFS, First American remained ignorant to its IT deficiencies until a journalist publicized an article in May 2019 revealing that “885 million documents – dating as far back as 2003 and many containing NPI” was “openly accessible to the public.” Only then did First American patch its vulnerability and report the incident to NYDFS even though 23 NYCRR §500.17 required notification to NYDFS within 72 hours of determining a reportable cybersecurity event had occurred.

Based on these alleged facts, NYDFS alleges First American violated the following six provisions of 23 NYCRR §500:

  • 23 NYCRR §500.02: Requirement to maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s IT system;
  • 23 NYCRR §500.03: Requirement to implement and maintain written policies approved by a senior officer of the covered entity’s board of directors (or an equivalent governing body) setting the entity’s policies and procedures to protect its IT systems and non-public information (NPI) stored on its IT systems;
  • 23 NYCRR §500.07: Requirement to maintain proper access controls to the covered entity’s IT systems to protect NPI;
  • 23 NYCRR §500.09: Requirement to perform adequate risk assessments of the covered entity’s IT systems to inform the design of its cybersecurity program;
  • 23 NYCRR §500.14: Requirement to provide adequate security training to the covered entity’s employees; and
  • 23 NYCRR §500.15: Requirement to protect NPI held or transmitted by the covered entity by the implementation of encryption.

In response to NYDFS’s allegations, First American is relying on a third party investigation which found “a very limited number of consumers – and none of them from New York – had personal information exposed” due to the identified vulnerability.  A hearing on the charges is currently scheduled for October 26, 2020.

NYDFS Requirements

NYDFS regulates certain financial institutions operating in New York pursuant to a license, permit or similar accreditations under New York State’s Banking Law, Insurance Law or Financial Services Law. Designed to protect financial institutions’ IT systems and its customer information, 23 NYCRR §500 requires covered entities to “assess its specific risk profile and design a [cybersecurity] program that addresses [such risks]” as well as “file an annual certification confirming compliance.” The regulation dates to March 2017, but did not go into full effect until March 2019.

The regulations require what in essence is basic cybersecurity governance.  23 NYCRR §500 enumerates a series of obligations covered entities must adhere to maintain compliance. Examples of such obligations can be found in the provisions listed above. Although certain entities, specifically entities that employ fewer than 10 employees, generate less than $5 million in gross annual income or hold less than $10 million in year-end assets are exempted from the regulation, such entities still must file a Notice of Exemption with the NYDFS. Violation of 23 NYCRR §500 may result in the suspension or revocation of licensure in addition to any applicable civil or criminal penalties, subject to whether the covered entity is subject to New York’s Banking, Financial Services or Insurance Law.