May 7, 2021

Volume XI, Number 127

Advertisement

May 06, 2021

Subscribe to Latest Legal News and Analysis

May 05, 2021

Subscribe to Latest Legal News and Analysis

May 04, 2021

Subscribe to Latest Legal News and Analysis

New York’s Department of Financial Services Files First Enforcement Action Under New Cybersecurity Regulation

In July 2020, the New York State Department of Financial Services (NYDFS) filed the first enforcement action under the new NYDFS Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500), against First American Title Insurance Company (First American), a leading title insurance provider. 

Part 500, which went into effect in March 2019, is a set of regulations that places new cybersecurity requirements on financial institutions regulated by NYDFS. Pursuant to Part 500, covered financial institutions must establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of non-public information (NPI). Covered entities must also maintain policies and procedures to protect the privacy of consumer data.

The Statement of Charges filed by NYDFS alleged that First American did not maintain adequate internal controls to protect NPI. Furthermore, NYDFS alleged that First American exposed numerous documents containing consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and drivers’ license images.

More specifically, NYDFS alleged that a “known vulnerability” in First American’s information systems resulted in exposure of NPI via the company’s public-facing website. According to the Statement of Charges, in 2014, First American updated an internal system and inadvertently created access to loan documents — without any login or authentication — through a public URL. NYDFS also alleged that an internal penetration test identified the vulnerability in December 2018, but First American failed to properly and timely remediate it.

The NYDFS Statement of Charges alleges six different violations of Part 500:

  • Failure to maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the company’s information systems (23 NYCRR 500.02).

  • Failure to maintain a policy approved by a Senior Officer or the board of directors or equivalent government body, setting forth the company’s policies and procedures for the protection of its information systems and the NPI stored on those information systems (23 NYCRR 500.03).

  • Failure to limit user access privileges to information systems that provide access to NPI and failure to periodically review such access privileges (23 NYCRR 500.07).

  • Failure to conduct a periodic risk assessment of the company’s information systems and failure to update said risk assessment to address changes to the company’s information systems, NPI, or business operations (23 NYCRR 500.09).

  • Failure to provide regular cybersecurity awareness training for all personnel (23 NYCRR 500.14(b)).

  • Failure to implement controls to protect NPI held or transmitted by the company both in transit over external networks and at rest (23 NYCRR 500.15).

In the wake of NYDFS’s enforcement action, First American publicly stated that it “strongly disagrees” with the charges. A hearing is scheduled for October 26, 2020, to determine whether the alleged violations occurred and “whether civil monetary penalties shall be imposed and other appropriate relief be granted.” According to NYDFS, each instance of NPI “encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.”

The charges against First American are notable because they indicate that NYDFS intends to aggressively pursue and enforce what it perceives to be violations of Part 500. The case is particularly significant because, while there are allegations that consumer data was exposed, there are no allegations of a wholesale data breach or that any consumers were actually harmed by First American’s alleged violations. The willingness to bring an enforcement action under these circumstances further indicates how aggressively NYDFS intends to enforce Part 500. Finally, if the charges are proven, it will be interesting to see whether NYDFS actually seeks to impose a $1,000 penalty for each violation of Part 500. To the extent that NYDFS takes this position, the fine imposed could be significant.

This enforcement action serves as an important reminder to financial services companies regulated by NYDFS to ensure that they are in compliance with Part 500. Regulated entities must ensure that they are not only creating effective cybersecurity policies and procedures, but also that they are following, implementing, and modifying these policies and procedures on a regular basis.

Regulated entities would be wise to pay heed to the following recommendations:

  • Encrypt NPI and Personal Information. While NYDFS acknowledged that encryption would not have protected the NPI at issue in the First American case due to the unique vulnerability at issue, it nevertheless included an encryption violation in its Statement of Charges. Encrypting NPI is critical to protecting customer data, because, when data is encrypted, it prevents an unauthorized person that may gain access from being able to read or exploit it.

  • Empower CISOs. The Chief Information Security Officer (CISO) needs to both keep track of operational risks and have a position to meaningfully report those risks to an audience with the authority to mitigate them. Part 500 requires covered entities to designate a CISO. The CISO plays a critical role in the development and implementation of cybersecurity policies and procedures that can both help to prevent a data breaches and mitigate the damages once a breach occurs. CISO’s are also vital to ensuring that companies are in compliance with all applicable state and federal regulations. In addition, a good CISO will serve as a liaison between a company’s C-Suite and the engineers who are tasked with creating and implementing a cybersecurity plan.

  • Create Incident Escalation Triggers. Initial incident reporting and escalation is often a key failure in incident response. To minimize this risk, incident response plans and processes should include triggers based on time, scope, and sensitivity of information to standardize the initial reporting and escalation process.

  • Maintain a Complete and Updated Data Inventory of NPI. In order to prevent and mitigate cybersecurity incidents, an organization must understand which systems or networks contain personal information and how that information is accessed internally and shared externally.

  • Update Internal Policies to Reflect Current Practices. The drafting and review process for cybersecurity policies and procedures should incorporate recommendations from interdisciplinary offices including IT, HR, Legal, Risk, and Operations. Employees should test the policies during penetration tests and exercises with necessary updates after each test.

  • Train All Employees on Cybersecurity Awareness. Training employees on cybersecurity awareness will enable them to identify potential threats to a company’s data and serve as a line of defense for protecting sensitive data. In many data breaches, attackers gain access to the victim company’s data through the manipulation of unsuspecting employees — such as phishing or social engineering schemes. Training employees to recognize potential cyberattacks can significantly reduce the risk of a potential data breach.

    Advertisement
© 2021 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 254
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Peter Baldwin, Securities lawyer, Drinker Biddle
Partner

Peter W. Baldwin, a former federal prosecutor, defends clients facing white-collar criminal and internal investigations, securities enforcement actions, cybersecurity issues, and other complex civil and criminal litigation matters. Prior to joining Drinker Biddle, Pete spent over eight years as an Assistant United States Attorney in the U.S. Attorney’s Offices for the Eastern District of New York and Central District of California. In this role, he supervised all aspects of criminal investigation and prosecution, first as a member of the Major Frauds Section in the Central...

(212) 248-3147
Lucas Michelen, corporate lawyer, Drinker Biddle
Associate

Lucas B. Michelen represents a variety of corporate clients involved in complex commercial litigation. Lucas has experience representing clients in litigation related to business tort and commercial contract disputes, white collar criminal defense, and state Attorney General consumer protection actions. Lucas also defends pharmaceutical and medical device companies in mass tort cases in both state and federal court.

Lucas maintains an active pro bono practice and has worked on cases with multiple public interest organizations, including the Public...

(215) 988-2489
Adam W. Smith Corporate Attorney Faegre Drinker Biddle & Reath Minneapolis, MN
Associate

Adam Smith helps clients sleep soundly by managing their corporate matters, including governance, transactions and cybersecurity. He integrates a background in law, policy and incident response to help clients plan for business success.

Adam gained legal experience as a summer associate at Faegre Baker Daniels and Jones Day, where he drafted memoranda on Blue Sky laws, contributed to due diligence reports for initial public offerings and supported white collar and antitrust investigation work. Adam also served as a legal extern analyzing environmental and international sovereignty...

612-766-8762
Advertisement
Advertisement