The New York Department of Financial Services recently initiated its first action to enforce the department’s cybersecurity regulation. The regulation has been in effect since March 1, 2017 and applies to all financial institutions regulated by the NY DFS.
On July 21, 2020, the NY DFS charged California-based First American Title Insurance Company with violating the regulation in connection with a cybersecurity incident that the company experienced in 2018. The NY DFS has alleged that First American’s website exposed “to anyone with a web browser” the personal information of millions of customers that the company accumulated over 16 years of generating mortgage title insurance records. The information included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers’ license images.
According to the charges, First American first discovered the vulnerability during penetration testing in December 2018, but “allowed unfettered access to the personal and financial data . . . for six more months” after learning of the vulnerability. The NY DFS asserted that the vulnerability was introduced into First American’s systems as early as May 2014 and that “tens of millions” of records have since been exposed. First American has countered that a 2019 third-party investigation concluded that only “a very limited number of” customers had their personal information exposed in the incident and that none of those customers were New York residents. The NY DFS, however, noted that First American’s investigation reflects the number of individuals affected from 2018 onward, rather than from 2014, when the department alleges the vulnerability first arose.
The NY DFS charges also include allegations that First American violated specific provisions of the cybersecurity regulation by failing to:
- Adequately perform risk assessments, in violation of 23 NYCRR §§ 500.02, 500.09 to 500.10, 500.13 to 500.16
- Implement governance and classification policies suitable to its business model and associated risks, in violation of 23 NYCRR § 500.03’s requirement to maintain a written policy for the protection of information systems and the data stored in them
- Limit user access privileges, as required by 23 NYCRR § 500.07
- Provide regular cybersecurity awareness training for all personnel, in violation of 23 NYCRR § 500.14(b)
- Encrypt sensitive data, in violation of 23 NYCRR § 500.15
Because the NY DFS considers each instance of an unauthorized access to a customer record to be a separate violation carrying a fine of up to $1,000, the aggregate fine facing First American could be significant. A hearing is currently scheduled on the charges for October 26, 2020.
The NY DFS cybersecurity regulation appears to open another front in exposing financial institutions that experience data breaches to potential regulatory fines. The enforcement action also coincides with tremendous growth in the fintech and insurtech industries, including in New York City’s Silicon Alley. The prescriptive nature of the NY DFS cybersecurity regulation may present a heavy burden for emerging companies, but the regulation should be taken seriously because of the risk of significant fines. For fintech and insurtech companies, the NY DFS enforcement action comes on top of recent evolution in the Federal Trade Commission’s position to view a broad swath of fintech and insurtech companies as financial institutions subject to privacy and cybersecurity requirements of the Gramm-Leach-Bliley Act. This expansive view of GLBA is yet another reason for financial institutions to continue to focus on cybersecurity, taking a holistic approach to establishing an information security program. The silver lining is that most of GLBA’s cybersecurity requirements are subsumed in the NY DFS cybersecurity regulations, which are more prescriptive and stringent.