New York Files First Charges Under Data Security Regulation
July 30, 2020
The New York Department of Financial Services (DFS) filed its first-ever cybersecurity enforcement action on July 21, charging California-based First American Title Insurance Co. with violations of six different provisions of the DFS Cybersecurity Regulation.1 The regulation, which originally took effect in March 2017, mandates that covered entities2 adopt a comprehensive cybersecurity program, including regular risk assessments, data governance and classification policies, training programs, and remedial procedures. It also requires them to implement access controls, including encryption and multi-factor authentication, to protect “nonpublic information”3 stored or transmitted on their networks.
The charges stem from a data breach confirmed by First American in May 2019 that exposed hundreds of millions of mortgage records.4 DFS alleges that a known vulnerability in First American’s website exposed nonpublic information, including Social Security numbers, bank account numbers, and drivers’ license images, for over four years, and that First American failed to quickly fix the vulnerability after it was discovered in late 2018.
The statement of charges also alleges that the company failed to follow its own data security policies, including improperly identifying those data systems that contained or transmitted non-public information, thereby allowing the exposure of confidential information to the public. Finally, First American allegedly failed to provide adequate data security training for its employees and agents, conduct an adequate breach investigation, or follow the recommendations of its cybersecurity team.
Because DFS views each instance of exposed personal information as a separate violation, each entailing a potential $1,000 fine, First American’s exposure could be quite significant.
In a statement, First American said it “strongly disagrees” with the charges, and that its own investigation found that only a “very limited number” of consumers—none from New York—had their personal information accessed without their permission.
There are a few major takeaways from this case, even in this early stage. First, it is consistent with statements from DFS leadership that it is treating data security as a priority enforcement area, and portends future DFS focus in this space. Second, DFS is demonstrating that it will not hesitate to use the sweeping jurisdiction of the Cybersecurity Regulation to bring cases in which neither the victims nor the conduct are confined to the State of New York. Companies should be mindful that New York has become a new enforcement front, even if their operations and customers are largely elsewhere. And third, the case underscores the benefits of engaging legal counsel to conduct data risk assessments, quarterback post-breach response efforts, and conduct confidential audits to ensure that practices are consistent with policy.
1 23 NYCRR 500.
2 A “covered entity” is any person or business “operating under or required to operate under a license, registration, certificate, permit, accreditation or similar authorization under the [New York] Banking Law, the [New York] Insurance Law, or the [New York] Financial Services Law.”
3 “Nonpublic information” is defined in the regulation as all electronic information that is not publicly available and is: (1) business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the Covered Entity; (2) any information concerning an individual that because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code, or password that would permit access to an individual’s financial account, or (v) biometric records; and (3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present, or future physical, mental, or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.
4 Brian Krebs, a cybersecurity journalist, reported that 885 million documents, dating back to 2003, were publicly accessible. The company’s own post-incident forensic analysis demonstrated that over 350,000 records were accessed without authorization by bots or scraper programs.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Lisa Monaco, an O’Melveny partner licensed to practice law in the District of Columbia and New York, John Dermody, an O’Melveny counsel licensed to practice law in California and the District of Columbia, and Evan Schlom, an O’Melveny counsel licensed to practice law in California and the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.