The charges are the first to be filed alleging violations of DFS’s Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations.
First American Title Insurance Company is one of the largest providers of title insurance in the United States. In 2019, First American wrote more than 50,000 policies in New York State.
In the statement of charges announced, the Department alleges that a vulnerability in First American's information systems resulted in exposure of consumers’ sensitive personal information over the course of several years, and First American failed to remedy the exposure promptly after it was discovered in December 2018.
DFS alleges multiple failures in First American's handling of the data exposure of sensitive consumer information, including:
First American failed to follow its own policies, neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;
First American misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American's internal cybersecurity policies;
after the data exposure was discovered by an internal penetration test in December 2018, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and
the title insurer failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
DFS alleges that the errors, deficient controls and other flaws in First American’s cybersecurity practices led to the data exposure that persisted for years, including months after it was discovered.
According to the charges, First American violated six provisions of the Cybersecurity Regulation. The Cybersecurity Regulation is implemented pursuant to Section 408 of the Financial Services Law. Any violation of Section 408 with respect to a financial product or service, which includes title insurance, carries penalties of up to $1,000 per violation. DFS alleges that each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.
In response, First American tells Security magazine, "First American strongly disagrees with the New York Department of Financial Services’ charges relating to a limited cybersecurity incident from May 2019. As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose non-public personal information likely was accessed without authorization and otherwise found no evidence of misuse of any non-public personal information. None of these identified consumers were New York residents. In March, the Nebraska Department of Insurance, the primary regulator of our title insurance company, led an examination of First American’s information security program as of June 30, 2019 and our response to the information security incident. The resulting report concluded that our 'IT general controls environment is suitably designed and is operating effectively,' that we 'adequately and appropriately detected, analyzed, contained, eradicated and recovered from the security incident' and that we are in compliance with New York’s cybersecurity requirements for financial services companies. At First American, security, privacy and confidentiality are of the highest priority, and we intend to vigorously defend ourselves against the Department’s unreasonable charges."