Historic Charges: First Enforcement Action Filed by New York Department of Financial Services Under Cybersecurity Regulation

I. The NYDFS Cybersecurity Regulation

The NYDFS Cybersecurity Regulation became effective in March 2017 and, beginning on February 15, 2019, required all NYDFS-regulated entities (Covered Entities), including First American, to annually certify compliance with the Regulation.³ While the Regulation went into effect in March 2017, the NYDFS adopted a phased approach to implementation, identifying a series of compliance deadlines that occurred over a two-year period ending on March 1, 2019. The Regulation requires that Covered Entities establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems and its customers’ NPI as defined in 23 NYCRR §§ 500.01(e) and 500.01(g), respectively.⁴ The Regulation sets minimum standards for compliance related to the assessment of cybersecurity risks, the prevention and detection of security events, and post-breach management. The NYDFS Cybersecurity Regulation is aligned with the National Institute of Standards and Technology Cybersecurity Framework, a federally recognized voluntary framework that includes standards, guidelines, and best practices to manage cybersecurity risk.

II. First American’s Six Alleged Violations of the Cybersecurity Regulation

The NYDFS alleges that First American, one of the largest providers of title insurance in the U.S., which wrote more than 50,000 policies in New York State in 2019, experienced a vulnerability in its information systems that resulted in the exposure of consumers’ sensitive personal information over several years and that First American failed to remediate the vulnerability after its discovery. More specifically, the NYDFS alleges that First American violated six provisions of the Cybersecurity Regulation and failed to

• perform risk assessments for data stored or transmitted within its information systems, particularly the First American main document repository, known as FAST, and EaglePro applications, which transmitted and stored NPI as discussed below (23 NYCRR § 500.02)
• maintain and implement data governance and classification policies for NPI suitable to its business model and associated risks and maintain an appropriate, risk-based policy governing access controls for applications that contain or transmit NPI (23 NYCRR § 500.03)
• limit user access privileges to information systems that provide access to NPI (23 NYCRR § 500.07)
• conduct a periodic risk assessment of the its information systems sufficient to inform the design of its cybersecurity program (23 NYCRR § 500.09)
• provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its risk assessment (23 NYCRR § 500.14)
• implement controls, including encryption, to protect NPI held or transmitted both in transit over external networks and at rest (23 NYCRR § 500.15)

III. Background to the NYDFS’s First American Statement of Charges

The NYDFS Statement of charges against First American explains that from at least October 2014 through May 2019, tens of millions of documents containing consumers’ sensitive personal information were exposed due to a known vulnerability on First American’s website. The consumers’ sensitive personal information included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images. Public access to these documents was caused by an application software vulnerability that was initially introduced in May 2014. The Department further alleges that First American demonstrated a “willful failure to remediate” the vulnerability by not acting even after the issue was identified by a penetration test in December 2018. The NYDFS alleges that First American, rather than remediate the issue, “instead allowed unfettered access to the personal and financial data of millions of its customers for six more months until the breach and its serious ramifications were widely publicized” in May 2019 by a well-known cybersecurity journalist.

The exposed documents were stored in FAST, which was developed to allow First American employees to share documents with parties to an insurance transaction. First American also created and maintains EaglePro, a separate application on its network, which is “a web-based title document delivery system that allows title agents and other [First American] employees to share any document in FAST with outside parties.”⁵ The NYDFS alleges that the documents stored in FAST were each marked with an identification number that was included in the URL shared by the system when properly transmitting the document to a customer. Unauthorized individuals, however, could simply manipulate the URL of the public web page by inserting random identification numbers to access the documents stored on FAST. The NYDFS alleges in April 2018, FAST contained 753 million documents, 65 million of which had been tagged by First American’s employees as containing NPI. A random sampling of 1,000 untagged documents revealed that 30 percent of those documents also contained NPI. In May 2019, FAST contained over 850 million documents.

IV. Lessons Learned From NYDFS’s First American Statement of Charges

The First American Statement of charges serves as the Department’s first enforcement action under the Cybersecurity Regulation and may provide critical insight for NYDFS-regulated businesses and their third-party service providers as to how the NYDFS may enforce that Regulation. Specifically, Covered Entities and their third-party service providers should consider the following issues as they work to improve their cybersecurity programs in compliance with the Cybersecurity Regulation.

1. Does the Covered Entity’s cybersecurity program provide for periodic and documented risk assessments? For a Covered Entity’s cybersecurity program to be adequately situated for the Covered Entity’s unique needs, the NYDFS requires that the program be tailored to address the findings of periodically conducted risk assessments. These periodic risk assessments must assess internal and external risks, including data stored or transmitted within the Covered Entity’s information systems. The risk assessments should also be the basis for updates and revisions to the cybersecurity program. Risk assessments must be properly responsive to technological developments and evolving threats and must include criteria for the assessment of the confidentiality, integrity, security, and availability of the Covered Entity’s information systems and NPI, including the adequacy of existing controls in the context of identified risks, and requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks. Finally, risk assessments should also inform regular cybersecurity awareness training for all personnel.
2. Are data and applications that process data properly classified for confidentiality to ensure proper data management? A Covered Entity’s written cybersecurity policies are required to contain data classification systems, access controls and identity management, among other provisions detailed in the NYDFS Cybersecurity Regulation. Confidential information must be properly classified, and applications should be reviewed periodically to determine whether confidential information is stored or transmitted in the application, requiring elevated security. Covered Entities should focus on achieving proper data classification to manage access controls effectively and therefore prevent unauthorized users from accessing the confidential information. Strong access control capabilities do little for Covered Entities if they fail to properly classify data as confidential so those access controls can be applied. First American failed to classify its applications properly as actively transmitting confidential, nonpublic information. As a result, access controls were not applied to prevent exposure of the NPI.
3. Are controls properly implemented, including encryption, at the approval of the Covered Entity’s Chief Information Security Officer (CISO)? Access controls put in place to protect confidentially classified data must meet the standards set by the NYDFS Cybersecurity Regulation. The Regulation requires that controls, including encryption, be implemented to protect NPI held or transmitted both in transit over external networks and at rest. Alternative controls can be put in place if encryption is infeasible. To the extent that a Covered Entity is using compensating controls rather than encryption, the feasibility of encryption and effectiveness of the compensating controls must be reviewed by the CISO at least annually. First American failed to encrypt NPI even for documents that were properly marked as sensitive. Both proper classification and proper controls are essential for ensuring compliance with the NYDFS Cybersecurity Regulation.
4. Is the Covered Entity promptly reviewing, assessing, and remediating any identified vulnerabilities? The Statement explains that First American “grossly underestimated the level of risk associated with the [v]ulnerability,” which had been “erroneously classified as a ‘medium severity’ ” because First American held “the mistaken belief that EaglePro could not transmit NPI.”⁶ The NYDFS alleges that First American compounded the delay in remediating the vulnerability by “accidently re-classifying the vulnerability from ‘medium’ to ‘low’ severity” when entered into First American’s tracking system and failing to adhere to its internal policies by delaying remediation of the vulnerability “for more than five months after its discovery.”⁷ Moreover, the Department alleges that First American “ineffectively assigned” the remediation “to an unqualified employee” who had “little experience in data security.”⁸ When reviewing identified vulnerabilities, Covered Entities should therefore assess (i) whether each vulnerability is appropriately classified, (ii) whether the Covered Entity is promptly addressing and remediating each vulnerability in accordance with its policies and procedures, (iii) whether the Covered Entity has assigned appropriately qualified personnel to be responsible for such remediation, and (iv) whether the Covered Entity has provided assigned personnel with details of a vulnerability’s gravity, the applicable policies and standards for the Covered Entity’s data security and remediation, and support in conducting those responsibilities.

V. NYDFS’s Continued Focus on Cybersecurity and Enforcement of its Regulation

NYDFS’s Statement of charges against First American underscores the Department’s continued focus on cybersecurity risks and Covered Entities’ compliance with the Regulation. In April 2019, Linda Lacewell, the NYDFS acting superintendent, publicly commented that cybersecurity is “the number one threat facing all industries and governments globally” and that in the interest of prioritizing consumers, compliance of financial institutions with state regulations must be “at the center of everything [] institutions do.”⁹ The First American Statement of charges thus may signal future, imminent enforcement actions or sweeps by the Department that will provide insight as to what fact patterns might constitute a violation of the Regulation.

¹ See NYDFS press release, Acting Superintendent Linda A. Lacewell Names Justin Herring Executive Deputy Superintendent of Newly Created Cybersecurity Division (May 22, 2019) (“The new Cybersecurity Division will enforce the Department’s cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’s cybersecurity regulations, and conduct cyber-related investigations in coordination with the Consumer Protection and Financial Enforcement Division. The Division, which will also help industry protect itself by disseminating trends and threat information about cyber-attacks, will incorporate DFS’s existing subject-matter experts in cybersecurity, who are currently spread across other divisions, and continue to develop that expertise within DFS’s existing personnel and by hiring additional experts as necessary”).

² See Financial Services Law, FIS § 408(a); see also NYDFS press release, Department of Financial Services Announces Cybersecurity Charges Against a Leading Title Insurance Provider For Exposing Millions of Documents with Consumer’s Personal Information (July 22, 2020) (“The Cybersecurity Regulation is implemented pursuant to Section 408 of the Financial Services Law. Any violation of Section 408 with respect to a financial product or service, which includes title insurance, carries penalties of up to $1,000 per violation. DFS alleges that each instance of [NPI] encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation”).

³ A “Covered Entity” includes “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] Banking Law, the [New York] Insurance Law or the [New York] Financial Services Law.” See 23 NYCRR § 500.01(c). The NYDFS has also advised that a Covered Entity’s obligations extend to subsidiaries and affiliates that present risks to the Covered Entity’s information systems or the [NPI] stored on those information systems; in such instances, “those risks must be evaluated and addressed in the Covered Entity’s Risk Assessment, cybersecurity program and cybersecurity policies.” See NYDFS Cybersecurity Regulation FAQs, Question No. 22 (last visited August 14, 2020).

⁴ As explained by the NYDFS, the term “NPI” means “all electronic information that is not publicly available and is: (1) Business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity; (2) Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records; and (3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.” 23 NYCRR § 500.00(g).

⁵ In the Matter of First American Title Insurance Company, No. 2020-0030-C at 6 (July 21, 2020).

⁶ In the Matter of First American Title Insurance Company, No. 2020-0030-C at 9 (July 21, 2020).

⁷ In the Matter of First American Title Insurance Company, No. 2020-0030-C at 10 (July 21, 2020).

⁸ In the Matter of First American Title Insurance Company, No. 2020-0030-C at 11 (July 21, 2020).

⁹ Linda Lacewell, NYDFS Acting Superintendent, Keynote Address: Current Issues in Insurance Regulation, N.Y.C. Bar Association (Apr. 12, 2019).