The New York State Department of Financial Services (“DFS”) issued a Statement of Charges and Notice of Hearing (the “Charges”) earlier today against First American Title Insurance Company (“First American”) for multiple violations of the DFS Part 500 Cybersecurity Regulation (the “Regulation”), including:

  • Failure to perform an adequate risk assessment
  • Failure to maintain proper access controls
  • Failure to provide adequate security training for cybersecurity employees
  • Failure to encrypt certain nonpublic information

The Charges carry potential penalties of up to $1,000 per violation, and in its press release, the DFS asserts that each instance of nonpublic information that was accessed by an unauthorized person constitutes a separate violation. The Charges allege that hundreds of millions of documents were at risk, more than 350,000 documents were accessed without authorization, and that a sample of 1,000 documents found that 30% contained nonpublic information. 

This is the first cybersecurity enforcement action the DFS has brought under its regulations, and one of only two instances we are aware of in which the DFS issued a Statement of Charges against a financial institution, rather than a Consent Order or Settlement Agreement.

The Charges offer some key insights into how the DFS will interpret and enforce the Regulation going forward, and where companies face the most significant regulatory cyber risk.

The DFS Cybersecurity Regulation

The Regulation (23 N.Y.C.R.R. Part 500) is still the most comprehensive cybersecurity regulation in the United States. The DFS opted to implement the Regulation in four phases, the first of which went into effect on August 28, 2017.  Regulated entities were required to certify compliance with all of the rules for the first time on June 1, 2020.

The Allegations Against First American

First American Title Insurance Company is the largest subsidiary of First American Financial Corporation, and is a licensee of the DFS superintendent authorized to write title insurance in New York. In 2019, a real estate developer discovered that hundreds of millions of documents, some of which contained sensitive personal information, could be accessed through First American’s website. 

First American’s main document repository is known as “FAST.” First American also created and maintained an application known as EaglePro, which is a web-based document delivery system that allows First American employees to share documents with the parties to a transaction. According to the Charges, the documents stored in FAST were identified by a number, which was included in the URL shared by EaglePro for that document. By modifying one of the digits in the URL, a user could potentially access other people’s records. Krebs on Security reported in May 2019 that over 800 million files could be viewed via this method.

The compromised documents were related to mortgages, and some contained bank account numbers, tax records, Social Security Numbers, wire transaction receipts, and drivers’ license images. The DFS alleges that the vulnerability existed for over four years, from at least October 2014 through May 2019. Further, the Charges allege that First American discovered the vulnerability through a penetration test in December 2018, but ignored a recommendation from the internal cyber defense team to investigate further and determine whether sensitive documents were exposed. That team had reviewed 10 documents exposed by the vulnerability and none of those contained nonpublic information, which led the team to conclude erroneously there was no nonpublic information exposed by the vulnerability. 

Six Quick Takeaways

We are continuing to analyze the Charges and will provide a more detailed assessment in the coming days, but for now, here are a few takeaways:

  1. Follow Your Cyber Policies: The DFS stresses in both the Charges and the Press Release that First American failed to follow its own cyber policies by neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability.
  2. Be Conservative in Categorizing Risks: The DFS also stresses that First American had misclassified the vulnerability as “medium” and “low” severity, despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American’s internal cybersecurity policies.
  3. Conduct Robust Reviews of Vulnerabilities, With Reasonable Sampling: The DFS repeatedly notes that after the data exposure was discovered, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed, and thereby underestimating the seriousness of the vulnerability.
  4. Carefully Consider Recommendations by Internal Cybersecurity Personnel: The DFS focuses on the fact that First American failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
  5. The Importance of Qualifications and Training: The Charges include a violation of the requirement that regulated entities provide cybersecurity training for personnel that is updated to reflect risks identified in risk assessment. The DFS alleges that First American’s employees who uploaded sensitive documents into the FAST system did not receive adequate data security training, resulting in both a failure to properly identify sensitive documents and to treat such documents appropriately.
  6. Fix Significant Vulnerabilities Quickly: Perhaps the most important takeaway is the DFS’s view that entities should promptly remediate significant vulnerabilities found during risk assessments and penetration tests.

Conclusion

The first DFS enforcement action under its Part 500 rules shows that it regards cybersecurity compliance as more than a check-the-box or paper exercise. Instead, the DFS is signaling that it will carefully review the reasonableness of, and decision-making process supporting, companies’ cybersecurity actions. The Charges seem to acknowledge that a regulated entity can reach a different conclusion than the DFS and still be in compliance, but the company must document its thought process carefully and be prepared to defend the rationale and governance process supporting that decision.

It appears that the DFS is now entering a new phase of its cybersecurity regulation, making enforcement a priority. Companies should carefully review the Charges to see where they may be able to reduce their risks.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Lisa Zornberg is a Debevoise litigation partner based in the firm’s New York office. She is a member of the White Collar & Regulatory Defense Group, where her practice focuses on white collar defense, regulatory enforcement actions and internal investigations – including cyber investigations – for corporations and financial institutions, as well as complex civil litigation. She can be reached at lzornberg@debevoise.com.

Author

Zila R. Acosta-Grimes is a member of Debevoise's Financial Institutions Group based in the New York office. Ms. Acosta-Grimes’ practice focuses on banking regulatory, transactional and compliance matters. She can be reached at zracosta@debevoise.com.

Author

Michael Bloom is an associate in the Litigation Department. He can be reached at mjbloom@debevoise.com.

Author

Christopher S. Ford is a counsel in the Litigation Department who is a member of the firm’s Intellectual Property Litigation Group and Data Strategy & Security practice. He can be reached at csford@debevoise.com.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a Certified Information Privacy Professional (CIPP/US). As a member of the firm’s interdisciplinary Data Strategy & Security practice, she helps clients navigate complex data-driven challenges, including issues related to cybersecurity, data privacy, and data and AI governance. Mengyi’s cybersecurity and data privacy practice focuses on incident preparation and response, regulatory compliance, and risk management. She can be reached at mxu@debevoise.com.