The New York State Department of Financial Services (DFS) filed a statement of charges against First American Title Insurance Company. DFS alleges that First American exposed hundreds of millions of documents, millions of which contained consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, Social Security Numbers, wire transaction receipts, and drivers’ license images. These charges are the first to be filed alleging violations of DFS’s Cybersecurity Regulation.
In the statement of charges, DFS alleges that a vulnerability in First American’s information systems resulted in exposure of consumers’ sensitive personal information over the course of several years, and First American failed to remedy the exposure promptly after it was discovered in December 2018. DFS alleges multiple failures in First American’s handling of this extraordinary data exposure of sensitive consumer information, including:
- First American failed to follow its own policies, neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;
- First American misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American’s internal cybersecurity policies;
- after the data exposure was discovered by an internal penetration test in December 2018, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and
- the title insurer failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
DFS alleges that these errors, deficient controls, and other flaws in First American’s cybersecurity practices led to the data exposure that persisted for years, including months after it was discovered.