On Wednesday, July 22, 2020, almost three and a half years after the Department of Financial Services’ (DFS) cybersecurity regulations (23 N.Y.C.R.R. Part 500) became effective, DFS issued its first enforcement notice.
The enforcement notice targets First American Title Insurance Company (“First American”), a Fortune 500 company and the second largest real estate title insurance provider in the United States, with revenues in the billions. Speculation over the first enforcement action has been growing over the last year, particularly after the creation of the DFS Cybersecurity Division in May 2019, a division which was tasked with enforcing Part 500 and issuing cybersecurity guidance. First American finds itself in the unenviable position of being the Cybersecurity Division’s test case when these charges are brought to a hearing on October 26, 2020.
According to the charges, First American first identified a vulnerability on its public-facing website, which exposed tens of millions of documents containing customers’ sensitive personal information, in December 2018. The vulnerability had apparently gone undetected since 2014, until it was discovered by First American’s Cyber Defense Team during a penetration test. Even after its discovery, First American is charged with ignoring the vulnerability for almost six more months until cybersecurity blog KrebsOnSecurity ran an article exposing the issue. KrebsOnSecurity reported that anyone who received a URL to access a document on First American’s website could also access other documents simply by changing a single digit in the URL, without using any type of login or authentication. The URLs did not expire, so they essentially served as perpetual open doors into First American’s entire repository of documents maintained on behalf of millions of buyers and sellers of real estate.
Despite the internal warning raised by its own Cyber Defense Team in its risk assessment process, First American failed to further investigate or correct the vulnerability. DFS also charges First American’s senior management with rejecting internally-proposed remediation efforts even after the vulnerability was made public.
In a similar situation in 2018, University of Texas MD Anderson Cancer Center was charged with failing to protect personal health information (“PHI”) through the use of encryption, even though its prior risk assessments had identified the lack of encryption of PHI stored on mobile devices as posing a serious risk. Before MD Anderson had deployed encryption across its entire system and its full mobile device inventory, two unencrypted flash drives and an unencrypted laptop, all containing PHI, were stolen. The fine levied against MD Anderson totaled over $4 million, although it continues to pursue an appeal of that decision.
Here, First American might have prevented possibly millions of files from potential exposure had it conducted a risk assessment of the computer program that housed the non-public data, as well as of the data itself. At the very least, it could have lessened the extent of the possible damage by remediating the vulnerability immediately upon discovery, rather than ignoring the problem. DFS also identified various other internal control issues, including a lack of consistent employee security training and a failure to use adequate protective measures, including encryption.
First American is subject to a fine of $1000 per violation, as well as a separate $1000 fine for each instance of non-public information encompassed within the charges.
The obvious lesson to be drawn from the charges against First American, and the case against MD Anderson, is to follow internal cybersecurity procedures and to not ignore identified shortcomings. These two cases also underscore the importance of completing a periodic risk assessment in order to ensure the protections a company has already implemented provide sufficient protection from the ever-evolving world of cyber threats.