Banking and Finance Law Daily New York charges title insurance company with cybersecurity violations
Friday, July 24, 2020

New York charges title insurance company with cybersecurity violations

By Nicole D. Prysby, J.D.

Bringing its first charges under New York’s 2017 Cybersecurity Regulation, the Department of Financial Services alleges that a title insurance provider exposed millions of documents containing consumers’ sensitive personal information.

The New York Department of Financial Services (DFS) announced charges against First American Title Insurance Company, alleging that it exposed hundreds of millions of documents, millions of which contained consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images. From October 2014 through May 2019, more than 850 million personal records were available to anyone with a web browser, according to the complaint. The data exposure occurred through a known vulnerability on Frist American’s public-facing website that allowed access to the records to anyone with a web browser.

These are the first charges brought under New York’s 2017 Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations. The complaint states that First American failed to remedy the exposure promptly after it was discovered in December 2018. DFS alleged multiple failures in First American’s handling of the data exposure of sensitive consumer information, including that First American failed to follow its own policies and neglected to conduct a security review and a risk assessment of the flawed computer program responsible for the breach and the sensitive data associated with the data vulnerability.

In addition, First American is alleged to have misclassified the vulnerability as "low" severity despite the magnitude of the document exposure, failed to investigate the vulnerability within the timeframe dictated by its own cybersecurity policies, failed to conduct a reasonable investigation into the scope and cause of the exposure, and failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability. DFS alleged that these errors, deficient controls, and other flaws in First American’s cybersecurity practices led to the data exposure that persisted for years, including months after it was discovered.

According to the complaint, there was a vulnerability in First American’s system that permitted anyone to manually manipulate a URL to First American’s website to access personal documents. Failures at several points in time led to a delay in fixing the vulnerability. For example, while conducting a review of the problem (discovered through an internal penetration test in 2018), the First American Cyber Defense Team reviewed only 10 of the hundreds of millions of documents exposed. Those 10 documents did not included any personal information and the Team failed to realize the seriousness of the issue.

Companies: First American Title Insurance Company

MainStory: TopStory CyberPrivacyFeed DataBreach EnforcementActions GCNNews IdentityTheft Privacy NewYorkNews StateBankingLaws

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.