First Charges Filed Under New York’s Cyber Reg Involve First American Data Leak
The New York State Department of Financial Services (DFS) has filed cybersecurity charges against a title insurance provider for exposing millions of documents containing consumers’ personal information.
The charges are the first to be filed under DFS’ cybersecurity regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations, which went into effect in March 2017 and was implemented under a phased two-year timeline.
The regulation aims to protect New York’s financial services industry from the threat of a cyber attack and is the first cybersecurity regulation of its kind in the U.S. It has since served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states and the National Association of Insurance Commissioners.
“In public comments, Superintendent Linda A. Lacewell has repeatedly said, ‘Cybersecurity is the biggest threat to government and industry bar none,'” said a spokeswoman for DFS Superintendent Lacewell in an emailed statement. “The Superintendent has emphasized the DFS cybersecurity regulation will be enforced.”
In its first enforcement action under the cybersecurity reg, DFS alleges that First American Title Insurance Company exposed hundreds of millions of documents, millions of which contained consumers’ sensitive personal information including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers’ license images.
First American is a Nebraska-based stock insurance company and a licensee authorized to write title insurance in New York. In 2019, it wrote more than 50,000 policies in New York state, according to a DFS press release announcing the charges. As a result, First American is considered a covered entity subject to the requirements of New York’s cyber regulation.
DFS’ notice of charges against First American states that from at least October 2014 through May 2019, a known vulnerability on First American’s public-facing website made customers’ personal data available to anyone with a web browser.
This comes after the vulnerability was first introduced in May 2014 during a software update for EaglePro, the web-based title document delivery system that First American created and maintains on its network. The system allows title agents and other First American employees to share any document in its main document repository, known as FAST, with outside parties.
The vulnerability went undetected for years, the notice of charges alleges, adding that even after it was discovered by a penetration test in December 2018, First American allowed access to the personal and financial data of millions of its customers for six more months until the breach and its ramifications were publicized.
“The vulnerability thus led to exposure of a staggering volume of personal and financially sensitive documents, any number of which could be used by fraudsters to engage in identity theft and even outright theft of assets,” the notice of charges states. “Moreover, such theft could occur without individuals knowing their information had been stolen…”
In April 2018, FAST contained 753 million documents, 65 million of which had been tagged by First American as containing non-public information, or NPI. As of May 2019, FAST contained more than 850 million documents, according to the notice of charges.
DFS alleges in its notice of charges that there were multiple failures in First American’s handling of the exposure of sensitive customer information, contending that First American’s failure to promptly correct the vulnerability resulted from a “cascade of errors.”
As one example, the notice of charges points to an April 2018 presentation by senior members of First American’s IT and information security management teams to its board of directors. The presentation demonstrated that within a random sample of 1,000 documents stored in FAST, 30% of those documents contained NPI but were not tagged that way.
“At this error rate, potentially hundreds of millions of documents containing NPI were not designated properly,” the notice of charges states, adding that “to this day, the sole control preventing EaglePro from being used to transmit NPI is merely an instruction to users not to send NPI.”
Indeed, the notice of charges alleges that First American relies on training to ensure its employees follow procedures, delegating responsibility for the training to individual business units.
“When [DFS] asked [First American’s] CISO (chief information security officer) why additional controls were not adopted to protect NPI, [its] CISO disavowed ownership of the issue, stating, among other reasons, that such controls were not the responsibility of [the] information security department,” the notice of charges adds.
First American strongly disagrees with DFS’ charges, the company said in a prepared media statement.
“As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose non-public personal information likely was accessed without authorization and otherwise found no evidence of misuse of any non-public personal information,” according to the statement. “None of these identified consumers were New York residents.”
A source familiar with the matter said First American’s investigation into the cybersecurity incident identified 32 consumers, none of whom were residents of New York, whose NPI likely was accessed without authorization. Otherwise, no evidence of misuse of NPI was found, according to the source.
In March, the Nebraska Department of Insurance (DOI), the primary regulator of First American’s title insurance company, led an examination of First American’s information security program as of June 30, 2019, and its response to the information security incident.
First American alleges in its media statement that the resulting DOI report found that First American’s IT general controls environment was operating effectively and that the company adequately identified and responded to the cybersecurity incident. First American also contends in its media statement that the DOI examination report found the company to be in compliance with New York’s cybersecurity requirements for financial services companies.
“At First American, security, privacy and confidentiality are of the highest priority, and we intend to vigorously defend ourselves against the Department’s unreasonable charges,” First American said in its media statement.
First American was found to be in violation of six provisions of New York’s cybersecurity regulation, according to DFS’ notice of charges.
Any violation with respect to a financial product or service, which includes title insurance, carries penalties of up to $1,000 per violation. DFS contends that every instance of NPI included in the charges against First American constitutes a separate violation carrying up to $1,000 in penalties each.
A hearing will be held at DFS’ offices in New York City on October 26, 2020.