In July 2020, the New York State Department of Financial Services (NYDFS) filed the first enforcement action under the new NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500), against First American Title Insurance Company (First American), a leading title insurance provider.
Part 500, which went into effect in March 2019, is a set of regulations that places new cybersecurity requirements on financial institutions regulated by NYDFS. Pursuant to Part 500, covered financial institutions must establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of non-public information (NPI). Covered entities must also maintain policies and procedures to protect the privacy of consumer data.
The Statement of Charges filed by NYDFS alleged that First American did not maintain adequate internal controls to protect NPI. Furthermore, NYDFS alleged that First American exposed numerous documents containing consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and drivers’ license images.
More specifically, NYDFS alleged that a “known vulnerability” in First American’s information systems resulted in exposure of NPI via the company’s public-facing website. According to the Statement of Charges, in 2014, First American updated an internal system and inadvertently created access to loan documents — without any login or authentication — through a public URL. NYDFS also alleged that an internal penetration test identified the vulnerability in December 2018, but First American failed to properly and timely remediate it.
The NYDFS Statement of Charges alleges six different violations of Part 500:
- Failure to maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the company’s information systems (23 NYCRR 500.02).
- Failure to maintain a policy approved by a Senior Officer or the board of directors or equivalent government body, setting forth the company’s policies and procedures for the protection of its information systems and the NPI stored on those information systems (23 NYCRR 500.03).
- Failure to limit user access privileges to information systems that provide access to NPI and failure to periodically review such access privileges (23 NYCRR 500.07).
- Failure to conduct a periodic risk assessment of the company’s information systems and failure to update said risk assessment to address changes to the company’s information systems, NPI, or business operations (23 NYCRR 500.09).
- Failure to provide regular cybersecurity awareness training for all personnel (23 NYCRR 500.14(b)).
- Failure to implement controls to protect NPI held or transmitted by the company both in transit over external networks and at rest (23 NYCRR 500.15).
In the wake of NYDFS’s enforcement action, First American publicly stated that it “strongly disagrees” with the charges. A hearing is scheduled for October 26, 2020, to determine whether the alleged violations occurred and “whether civil monetary penalties shall be imposed and other appropriate relief be granted.” According to NYDFS, each instance of NPI “encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.”
The charges against First American are notable because they indicate that NYDFS intends to aggressively pursue and enforce what it perceives to be violations of Part 500. The case is particularly significant because, while there are allegations that consumer data was exposed, there are no allegations of a wholesale data breach or that any consumers were actually harmed by First American’s alleged violations. The willingness to bring an enforcement action under these circumstances further indicates how aggressively NYDFS intends to enforce Part 500. Finally, if the charges are proven, it will be interesting to see whether NYDFS actually seeks to impose a $1,000 penalty for each violation of Part 500. To the extent that NYDFS takes this position, the fine imposed could be significant.
This enforcement action serves as an important reminder to financial services companies regulated by NYDFS to ensure that they are in compliance with Part 500. Regulated entities must ensure that they are not only creating effective cybersecurity policies and procedures, but also that they are following, implementing, and modifying these policies and procedures on a regular basis.
Regulated entities would be wise to pay heed to the following recommendations:
- Encrypt NPI and Personal Information. While NYDFS acknowledged that encryption would not have protected the NPI at issue in the First American case due to the unique vulnerability at issue, it nevertheless included an encryption violation in its Statement of Charges. Encrypting NPI is critical to protecting customer data, because, when data is encrypted, it prevents an unauthorized person that may gain access from being able to read or exploit it.
- Empower CISOs. The Chief Information Security Officer (CISO) needs to both keep track of operational risks and have a position to meaningfully report those risks to an audience with the authority to mitigate them. Part 500 requires covered entities to designate a CISO. The CISO plays a critical role in the development and implementation of cybersecurity policies and procedures that can both help to prevent a data breaches and mitigate the damages once a breach occurs. CISO’s are also vital to ensuring that companies are in compliance with all applicable state and federal regulations. In addition, a good CISO will serve as a liaison between a company’s C-Suite and the engineers who are tasked with creating and implementing a cybersecurity plan.
- Create Incident Escalation Triggers. Initial incident reporting and escalation is often a key failure in incident response. To minimize this risk, incident response plans and processes should include triggers based on time, scope, and sensitivity of information to standardize the initial reporting and escalation process.
- Maintain a Complete and Updated Data Inventory of NPI. In order to prevent and mitigate cybersecurity incidents, an organization must understand which systems or networks contain personal information and how that information is accessed internally and shared externally.
- Update Internal Policies to Reflect Current Practices. The drafting and review process for cybersecurity policies and procedures should incorporate recommendations from interdisciplinary offices including IT, HR, Legal, Risk, and Operations. Employees should test the policies during penetration tests and exercises with necessary updates after each test.
- Train All Employees on Cybersecurity Awareness. Training employees on cybersecurity awareness will enable them to identify potential threats to a company’s data and serve as a line of defense for protecting sensitive data. In many data breaches, attackers gain access to the victim company’s data through the manipulation of unsuspecting employees — such as phishing or social engineering schemes. Training employees to recognize potential cyberattacks can significantly reduce the risk of a potential data breach.