DFS Pursuing First Enforcement Action After Fortune 500 Company Ignores Warnings of Security Shortcomings

On Wednesday, July 22, 2020, almost three and a half years after the Department of Financial Services’ (DFS) cybersecurity regulations (23 N.Y.C.R.R. Part 500) became effective, DFS issued its first enforcement notice.

The enforcement notice targets First American Title Insurance Company (“First American”), a Fortune 500 company and the second largest real estate title insurance provider in the United States, with revenues in the billions. Speculation over the first enforcement action has been growing over the last year, particularly after the creation of the DFS Cybersecurity Division in May 2019, a division which was tasked with enforcing Part 500 and issuing cybersecurity guidance. First American finds itself in the unenviable position of being the Cybersecurity Division’s test case when these charges are brought to a hearing on October 26, 2020.

According to the charges, First American first identified a vulnerability on its public-facing website, which exposed tens of millions of documents containing customers’ sensitive personal information, in December 2018. The vulnerability had apparently gone undetected since 2014, until it was discovered by First American’s Cyber Defense Team during a penetration test. Even after its discovery, First American is charged with ignoring the vulnerability for almost six more months until cybersecurity blog KrebsOnSecurity ran an article exposing the issue. KrebsOnSecurity reported that anyone who received a URL to access a document on First American’s website could also access other documents simply by changing a single digit in the URL, without using any type of login or authentication. The URLs did not expire, so they essentially served as perpetual open doors into First American’s entire repository of documents maintained on behalf of millions of buyers and sellers of real estate.  

Despite the internal warning raised by its own Cyber Defense Team in its risk assessment process, First American failed to further investigate or correct the vulnerability. DFS also charges First American’s senior management with rejecting internally-proposed remediation efforts even after the vulnerability was made public.

In a similar situation in 2018, University of Texas MD Anderson Cancer Center was charged with failing to protect personal health information (“PHI”) through the use of encryption, even though its prior risk assessments had identified the lack of encryption of PHI stored on mobile devices as posing a serious risk. Before MD Anderson had deployed encryption across its entire system and its full mobile device inventory, two unencrypted flash drives and an unencrypted laptop, all containing PHI, were stolen. The fine levied against MD Anderson totaled over $4 million, although it continues to pursue an appeal of that decision.

Here, First American might have prevented possibly millions of files from potential exposure had it conducted a risk assessment of the computer program that housed the non-public data, as well as of the data itself. At the very least, it could have lessened the extent of the possible damage by remediating the vulnerability immediately upon discovery, rather than ignoring the problem. DFS also identified various other internal control issues, including a lack of consistent employee security training and a failure to use adequate protective measures, including encryption.

First American is subject to a fine of $1000 per violation, as well as a separate $1000 fine for each instance of non-public information encompassed within the charges.

The obvious lesson to be drawn from the charges against First American, and the case against MD Anderson, is to follow internal cybersecurity procedures and to not ignore identified shortcomings. These two cases also underscore the importance of completing a periodic risk assessment in order to ensure the protections a company has already implemented provide sufficient protection from the ever-evolving world of cyber threats.

New York Federal Judge Expands Accessibility to th...
New Family and Medical Leave Act Forms Issued by D...

Disclaimer

This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.