Charges Filed Against First American Title Insurance Company For Cybersecurity Lapse

The New York State Department of Financial Services (DFS) has charged First American Title Insurance Company with exposing tens of millions of customers’ sensitive documents from October 2014 through May 2019 due to a known vulnerability on the company’s public-facing website.  This is the first action filed under DFS’s cybersecurity regulations, which went into effect in March 2017.

According to DFS, these documents included customer bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers’ license images.  Each exposure of non-public information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation. 

The DFS’s cybersecurity regulations were first proposed in 2016 to protect against the ever-growing threat of cyberattacks.   They require banks, insurance companies and other DFS-regulated financial services institutions to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of the financial services industry.  New York is the first state to adopt cybersecurity regulations.

According to DFS, the vulnerability was originally discovered by an internal penetration test in December 2018.  Apparently, the vulnerability was a result of a software update in May 2014 and went undetected for years.  The company then ignored the cybersecurity team’s advice to follow up on the vulnerability.  First American did not respond to the vulnerability until the breach and its serious ramifications were widely publicized by a nationally recognized cybersecurity industry journalist.

The journalist, KrebsOnSecurity, first reported the leak in May 2019, and estimated approximately 885 million files, dating all the way back to 2003, were maliciously accessed.  In August 2019, First American claimed that a third party investigated the issue and identified only 32 consumers whose non-public personal information was likely accessed without authorization.  However, when Krebs asked how long it maintained access logs or how far back in time that review went, First American declined to be more specific, saying that its logs covered a period typical for a company of its size and nature.  The DFS claims that First American’s review covered only web logs retained from June 2018 onward, and only 350,000 documents were accessed without authorization. 

Some of the provisions DFS is charging First American of violating include failing to perform an adequate risk assessment; not maintaining proper access controls; not providing adequate security training for cybersecurity employees; and failing to encrypt nonpublic information.  According to DFS, First American allowed ”unfettered access” to customer data for more than six months, despite being aware of the vulnerability from the internal penetration test

In a statement, First American proclaimed that the company “strongly disagrees with the New York Department of Financial Services’ charges.  As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose non-public personal information likely was accessed without authorization and otherwise found no evidence of misuse of any non-public personal information. None of these identified consumers were New York residents. At First American, security, privacy and confidentiality are of the highest priority, and we intend to vigorously defend ourselves against the Department’s unreasonable charges.”  A hearing is scheduled for October 26.  First American’s stock price fell by more than 6% following the news of the breach.  The company could also face millions of dollars in fines if the maximum penalty is pursued for each breach by the DFS. 

Don’t let this happen to your firm.  Schneider Downs can help you perform a NYDFS Cybersecurity compliance assessment or penetration test to determine if there are weaknesses in your IT systems of compliance programs that could lead to similar regulatory action