First Charges Filed Under New York’s Cyber Reg Involve First American Data Leak
The New York State Department of Financial Services (DFS) filed cybersecurity charges against a title insurance provider for exposing millions of documents containing consumers’ personal information.
The charges are the first to be filed under DFS’ cybersecurity regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations, which went into effect in March 2017 and was implemented under a phased two-year timeline.
“In public comments, [DFS]Superintendent Linda A. Lacewell has repeatedly said, ‘Cybersecurity is the biggest threat to government and industry bar none,'” said a spokeswoman for Lacewell in an emailed statement. “The Superintendent has emphasized the DFS cybersecurity regulation will be enforced.”
In its first enforcement action under the cybersecurity reg, DFS alleged that First American Title Insurance Company exposed hundreds of millions of documents, millions of which contained consumers’ sensitive personal information including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers’ license images.
First American is a Nebraska-based stock insurance company and a licensee authorized to write title insurance in New York. In 2019, it wrote more than 50,000 policies in New York state, according to a DFS press release announcing the charges. As a result, First American is considered a covered entity subject to the requirements of New York’s cyber regulation.
DFS’ notice of charges against First American stated that from at least October 2014 through May 2019, a known vulnerability on First American’s public-facing website made customers’ personal data available to anyone with a web browser.
This comes after the vulnerability was first introduced in May 2014 during a software update for EaglePro, the web-based title document delivery system that First American created and maintains on its network. The system allows title agents and other First American employees to share any document in its main document repository, known as FAST, with outside parties.
The vulnerability went undetected for years, the notice of charges alleged, adding that even after it was discovered by a penetration test in December 2018, First American allowed access to the personal and financial data of millions of its customers for six more months until the breach and its ramifications were publicized. In its notice of charges, DFS pointed to an April 2018 presentation by senior members of First American’s IT and information security management teams to its board of directors. The presentation demonstrated that within a random sample of 1,000 documents stored in FAST, 30% of those documents contained NPI but were not tagged that way.
“At this error rate, potentially hundreds of millions of documents containing NPI were not designated properly,” the notice of charges stated, adding that “to this day, the sole control preventing EaglePro from being used to transmit NPI is merely an instruction to users not to send NPI.”
First American strongly disagrees with DFS’ charges, the company said in a prepared media statement.
“As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose non-public personal information likely was accessed without authorization and otherwise found no evidence of misuse of any non-public personal information,” according to the statement. “None of these identified consumers were New York residents.”
A source familiar with the matter said First American’s investigation into the cybersecurity incident identified 32 consumers, none of whom were residents of New York, whose NPI likely was accessed without authorization. Otherwise, no evidence of misuse of NPI was found, according to the source.
In March, the Nebraska Department of Insurance (DOI), the primary regulator of First American’s title insurance company, led an examination of First American’s information security program as of June 30, 2019, and its response to the information security incident. First American alleged in its media statement that the resulting DOI report found that First American’s IT general controls environment was operating effectively and the company adequately identified and responded to the cybersecurity incident. First American also contended that the DOI examination report found the company to be in compliance with New York’s cybersecurity requirements for financial services companies.
“At First American, security, privacy and confidentiality are of the highest priority,” First American said in its media statement.
First American was found to be in violation of six provisions of New York’s cybersecurity regulation, according to DFS’ notice of charges. Any violation with respect to a financial product or service, which includes title insurance, carries penalties of up to $1,000 per violation. DFS contends that every instance of NPI included in the charges against First American constitutes a separate violation.
A hearing will be held at DFS’ offices in New York City on Oct. 26, 2020.