Late this summer the New York Department of Financial Services (NYDFS) announced its first enforcement action since the cybersecurity rules went into effect in March 2017. The action was brought against First American Title Insurance Co. as a result of a 2018 data breach exposing 850 million customer records containing sensitive personal information.
NYDFS charged First American with violating six provisions of the Cybersecurity Regulation, arguing that, among other violations, First American:
- failed to utilize risk assessments, security reviews, and its own cybersecurity policies when investigating the vulnerability and sensitive data associated with the vulnerability;
- misclassified the vulnerability as a “low” severity, and subsequently failed to investigate under the criteria set forth in its cybersecurity policies;
- did not conduct a reasonable investigation into the vulnerability even after its detection in December 2018, and instead only reviewed 10 of the millions of exposed documents; and
- failed to follow the advice of its own in-house cybersecurity team to further investigate and remedy the vulnerability.
The statement of charges highlight the NYDFS’s cybersecurity concerns. Namely that a company: (i) encrypt documents containing non-public information (NPI); (ii) limit user access to NPI through access controls, and (iii) provide regular cybersecurity awareness training, as required by the regulations. The NYDFS is seeking civil monetary penalties and an order to remedy the alleged violations, and a hearing is set for October 26.
The NYDFS is not alone in its pursuit to hold companies accountable for what it perceives are failures to implement adequate cybersecurity measures and adequately respond to data incidents. The New York Attorney General’s office has similarly recently pursued enforcement actions against companies the AG’s office believes have failed to adequately respond to data incidents and address cybersecurity, with the settlement of at least one such enforcement action requiring augmentation of cybersecurity practices, detailed incident response procedures, and the payment of fines.
Putting it Into Practice: The enforcement action highlights the importance that should be placed on properly assessing and categorizing the severity of risks associated with cybersecurity vulnerabilities and taking swift and necessary action to respond to such risks. It also serves as a reminder of the expectation that companies have, test, and internal policies and procedures for incident response. Lastly, employees responsible for addressing remediation items identified in the aftermath of a security incident should be armed with appropriate resources and background to effectuate change. Without measured, proactive attention to cybersecurity and incident response, companies could face enforcement actions and fines and penalties following the disclosure of a data breach.