First American Title Insurance Co. failed to safeguard mortgage documents, including bank account numbers and other personal information, New York’s financial regulator said in its first enforcement action under its cybersecurity rules.
The New York Department of Financial Services filed administrative charges Tuesday alleging the title insurer didn’t fix a flaw in an online data storage platform despite being made aware of it in December 2018. The vulnerability allowed unauthorized users to get access to restricted documents simply by changing a digit in a URL, the DFS said.
First American said it “strongly disagrees” with the enforcement action. A review from an outside consultant in May 2019 found only a limited number of documents were at risk, and none of them belonged to New York consumers, the company said in a statement.
The Nebraska Department of Insurance, which is the primary regulator for First American’s title insurance business, found that the company’s response to the incident was sufficient in June 2019, First American said.
“At First American, security, privacy and confidentiality are of the highest priority, and we intend to vigorously defend ourselves against the Department’s unreasonable charges,” the statement said.
New York’s charges are the first brought under state cybersecurity rules that largely went into effect in March 2017. The first-in-the-nation regulations require quick action when vulnerabilities are discovered, as well as customer notification, neither of which happened until First American’s problems were publicized, the department said.
“It’s clear that DFS intends to investigate alleged compliance failures and we should expect to see more of these actions,” said Lisa Sotto, chair of Hunton Andrews Kurth’s global privacy and cybersecurity practice in New York. However, “it’s surprising that it’s taken this long for DFS to publicly flog a company that it considered to be non-compliant,” she said.
Covered financial institutions can learn from the agency’s first probe, said Luke Dembosky, co-chair of Debevoise & Plimpton’s data strategy & security practice.
DFS “intends to review in substance the reasonableness and decision-making process supporting companies’ cybersecurity actions,” Dembosky said. Regulated entities “should document carefully, and be prepared to defend, their rationale and governance process behind that conclusion.”
Records Not Secure
The DFS alleges that the flaw in First American’s data storage system was first introduced during a May 2014 update.
Users that were permitted access to a document on First American’s website had access to other, restricted documents simply by changing a digit in the URL, according to the notice of charges.
A penetration test run by the company didn’t find the vulnerability until December 2018, but the company took no action to make a fix. By that point, potentially millions of documents, including bank account numbers and other sensitive information, were exposed, the department said.
The company did not make changes until notified by Brian Krebs, a prominent cybersecurity reporter, in May 2019, the DFS said.
The title insurer faces potential civil money penalties as high as $15,000 per day for flagrant violations and an order to make any necessary fixes. The DFS is only seeking penalties for the period beginning March 1, 2017, when the rule took effect.