Skip to main content
Top Button
New York’s DFS Launches First Action Under Cybersecurity Rules New York’s DFS Launches First Action Under Cybersecurity Rules

New York’s DFS Launches First Action Under Cybersecurity Rules

The New York Department of Financial Services (“NYDFS”) filed administrative charges this week against First American Title Insurance Co. (“First American”) in its first action brought under the agency’s expansive cybersecurity rules that went into effect more than three years ago. NYDFS charged First American with a failure to safeguard mortgage documents, bank account numbers, social security, driver’s license images, and other personal information—potentially exposing hundreds of millions of documents—because it did not adequately address a vulnerability in its online data storage platform. Ice Miller recently highlighted New York’s increased commitment to cybersecurity, noting in particular the passage of the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) in 2019 and the NYDFS Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Rules”) in 2017. If you are closing deals in New York (or anywhere else) or are operating in the financial and insurance sector with ties to New York, our Data Security and Privacy Team offers guidance below to best protect your sensitive data and networks/systems.

First American Challenges NYDFS Findings

NYDFS alleged that First American’s operations involved multiple failures that violated six provisions of the Cybersecurity Rules including: (1) failure to maintain a cybersecurity program, (2) not having written security policies approved by senior leadership, (3) not limiting user access privileges, (4) failing to conduct periodic risk assessments, (5) not providing regular training on information security to its employees, and (6) not implementing information security controls such as encryption. As we have often seen in the past, responding timely is one of the critical differentiators for successful incident response, and here NYDFS highlighted that First American failed to properly classify the severity of a vulnerability that was present from 2014 and first discovered only in December 2018, then fell short of conducting a reasonable investigation into the vulnerability, and in so doing reportedly did not follow the internal recommendations of its own cybersecurity team. In addition to the NYDFS charges, First American faces a significant reputational challenge from reports that the vulnerability was not properly fixed, or “patched,” until the company was notified by Brian Krebs, a renowned cybersecurity writer, in 2019. The vulnerability allowed unauthorized users access restricted documents by changing one digit in a URL, the NYDFS said.

First American is currently challenging NYDFS’ version of events. It cited a review from a third-party consultant in May 2019 that found only a limited number of documents were at risk, none of which belonged to New York consumers. Further, First American claims the Nebraska Department of Insurance (the primary regulator for First American) was satisfied by its response to the incident in a report from June 2019.

Whether the NYDFS accepts First American’s defense could impact the severity of penalties. First American faces civil penalties as high as $15,000 per day for flagrant violations and an order to make necessary fixes, and the tolling period will begin with March 1, 2017, when the Cybersecurity Rules took effect.

New York’s Recent Cybersecurity Developments

The First American case involves alleged violations of six provisions of the Cybersecurity Rules, which apply to any individual or any non-governmental entity operating “under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” (a “Covered Entity”). The Cybersecurity Rules were and remain one of the leading efforts by regulators to craft minimum regulatory standards for cybersecurity, including, encryption of data of all nonpublic information (including data both “in-transit” and “at-rest”), improved multi-factor authentication and a comprehensive vendor and third-party risk management program. Another key requirement of the Regulation is the need for Covered Entities to report Cybersecurity Events to the NYDFS as promptly as possible and within 72 hours at the latest. The 72-hour deadline can present a serious compliance challenge for many Covered Entities and puts a premium on having a practiced and effective incident response plan.

Passed just two years later, the SHIELD Act amended New York’s data breach notification law to cover any person or entity with private information of a New York resident, regardless of whether the data collector conducts business in New York State. With the SHIELD Act, New York joined the increasing number of states that require “reasonable data security protections,” a term that, for those familiar with the CCPA, remains a mystery.

How Can You Protect Your Real Estate and Other Sensitive Documents?

Protecting sensitive or confidential data is important in all industries, but for those working in real estate and the financial and insurance sector, data security requires heightened awareness given the many serious threats from cybercriminals to nation state hackers. In the COVID-19 environment, where more transactions have migrated from the conference room to the email inbox (and, more recently, to the parties’ own living rooms), securing these data types is even more important. Here are two quick tips to protect sensitive real estate documents:
  1. Perform annual security audits.
Annual security audits are essential to identifying and resolving vulnerabilities. Note, however, that simply hiring a third-party consultant to perform an audit does not absolve you of potential liability. Audits should leverage the relationship between your internal information security team and trusted advisors or consultants, such as outside counsel, who can provide both the technical and the legal guidance necessary to evaluate your security posture and your legal obligations in an industry that is equal parts legalese as it is security.
  1. Review document retention and destruction policies.
Note that in the First American case, hundreds of millions of documents were potentially exposed over a five-year period. Often, with such large data sets of exposed data, we find that many could have been disposed of pursuant to information governance requirements or might have been stored offline, when easy access was no longer needed. And for those documents that needed to be accessible, well-implemented encryption remains the most effective shield from unauthorized access. Carrying out data mapping reviews that identify data sets that can be disposed of or placed into “cold storage” can be a major risk mitigation step for any enterprise, keeping in mind that data for past transactions, which may be mostly useless to your company, is still of great interest to criminals.  

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.

Our Data Security and Privacy team has experience performing security audits, reviewing information security policies and procedures, and assessing and/or procuring cyber liability insurance. If you have any questions regarding the First American case, recent cybersecurity developments in New York, or securing your real estate transactions from start to finish, contact a member of our team.

Guillermo Christensen is a partner based out of Washington DC and licensed in New York, Virginia, working in Ice Miller’s Data Security and Privacy and White Collar Defense Groups. Guillermo combines his experience as an attorney, a former CIA intelligence officer and a diplomat with the U.S. Department of State to shape and inform the advice he provides to clients on various enterprise risks involving cybersecurity and national security law.

Mason Clark is an associate in Ice Miller’s Data Security and Privacy Group. He has a Master’s degree in Cybersecurity Risk Management, and he is a frequent presenter on data privacy and security incident response at conferences and presentations across the country.
View Full Site View Mobile Optimized