Charges Filed Against First American Title Insurance Company For Cybersecurity Lapse

The New York State Department of Financial Services (DFS) has charged First American Title Insurance Company with exposing tens of millions of customers’ sensitive documents from October 2014 through May 2019 due to a known vulnerability on the company’s public-facing website.  This is the first action filed under DFS’s cybersecurity regulations, which went into effect in March 2017.

According to DFS, these documents included customer bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers’ license images.  Each exposure of non-public information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation. 

The DFS’s cybersecurity regulations were first proposed in 2016 to protect against the ever-growing threat of cyberattacks.   They require banks, insurance companies and other DFS-regulated financial services institutions to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of the financial services industry.  New York is the first state to adopt cybersecurity regulations.

According to DFS, the vulnerability was originally discovered by an internal penetration test in December 2018.  Apparently, the vulnerability was a result of a software update in May 2014 and went undetected for years.  The company then ignored the cybersecurity team’s advice to follow up on the vulnerability.  First American did not respond to the vulnerability until the breach and its serious ramifications were widely publicized by a nationally recognized cybersecurity industry journalist.

The journalist, KrebsOnSecurity, first reported the leak in May 2019, and estimated approximately 885 million files, dating all the way back to 2003, were maliciously accessed.  In August 2019, First American claimed that a third party investigated the issue and identified only 32 consumers whose non-public personal information was likely accessed without authorization.  However, when Krebs asked how long it maintained access logs or how far back in time that review went, First American declined to be more specific, saying that its logs covered a period typical for a company of its size and nature.  The DFS claims that First American’s review covered only web logs retained from June 2018 onward, and only 350,000 documents were accessed without authorization. 

Some of the provisions DFS is charging First American of violating include failing to perform an adequate risk assessment; not maintaining proper access controls; not providing adequate security training for cybersecurity employees; and failing to encrypt nonpublic information.  According to DFS, First American allowed ”unfettered access” to customer data for more than six months, despite being aware of the vulnerability from the internal penetration test

In a statement, First American proclaimed that the company “strongly disagrees with the New York Department of Financial Services’ charges.  As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose non-public personal information likely was accessed without authorization and otherwise found no evidence of misuse of any non-public personal information. None of these identified consumers were New York residents. At First American, security, privacy and confidentiality are of the highest priority, and we intend to vigorously defend ourselves against the Department’s unreasonable charges.”  A hearing is scheduled for October 26.  First American’s stock price fell by more than 6% following the news of the breach.  The company could also face millions of dollars in fines if the maximum penalty is pursued for each breach by the DFS. 

Don’t let this happen to your firm.  Schneider Downs can help you perform a NYDFS Cybersecurity compliance assessment or penetration test to determine if there are weaknesses in your IT systems of compliance programs that could lead to similar regulatory action

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Zerologon: Instant Elevation to Domain Admin
Ransomware Postpones First Day of School for Hartford Students
Is Your Chip Card Implementation Secure?
Part of a Data Breach… Now What?
Evolving Cyber Threats of the New Normal
Cybersecurity Update: Twitter and Garmin

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102