October 23, 2021

Volume XI, Number 296


October 22, 2021

Subscribe to Latest Legal News and Analysis

October 21, 2021

Subscribe to Latest Legal News and Analysis

October 20, 2021

Subscribe to Latest Legal News and Analysis

NYDFS Files First Enforcement Action Under Reg 500

On July 21, 2020, the New York Department of Financial Services (“DFS”) filed its first enforcement action under New York’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”).    Reg 500, which took effect in March 2017, imposes wide-ranging and rigorous requirements on subject organizations and their service providers, which are summarized here.

According to the Statement of Charges, First American Title Insurance Co. (“First American”) failed to remediate a vulnerability on its public-facing website, thereby exposing millions of documents containing sensitive consumer information – including bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and drivers’ license images – to unauthorized access.  More specifically, DFS claims that First American failed to:

  • Conduct a security review and risk assessment of the vulnerability – steps that were mandated by the Company’s own cybersecurity policies;

  • Properly classify the level of risk associated with the website vulnerability;

  • Adequately investigate that vulnerability (the Company reviewed only a tiny fraction of the impacted documents and, as a result, severely underestimated the seriousness of the vulnerability); and

  • Heed the advice of the Company’s internal cybersecurity team, which advised that further investigatory actions were needed.

The foregoing failures, DFS contends, violated six provisions of Reg 500.  Specifically:

  1. 23 NYCRR 500.02: The requirement to maintain a cybersecurity program that is designed to protect the confidentiality, integrity and availability of the covered entity’s information systems, and which is based on the covered entity’s risk assessment.

  2. 23 NYCRR 500.03: The requirement to maintain a written policy or policies, approved by senior management, setting forth the covered entity’s policies and procedures for the protection of its information systems and the nonpublic personal information (“NPI”) stored on those systems.

  3. 23 NYCRR 500.07: The requirement to limit user access privileges to information systems that provide access to NPI and periodically review such access privileges.

  4. 23 NYCRR 500.09: The requirement to conduct a periodic risk assessment of the covered entity’s information systems to inform the design of its cybersecurity program.

  5. NYCRR 500.14(b): The requirement to provide regular cybersecurity awareness training for all personnel as part of the covered entity’s cybersecurity program, and to update such training to reflect risks identified by the covered entity in its risk assessment.

  6. NYCRR 500.15: The requirement to implement controls, including encryption, to protect NPI held or transmitted by the covered entity both in transit, over external networks, and at rest.

The case against First American is scheduled to proceed to an administrative hearing on October 26, 2020.  DFS is seeking civil penalties, along with an order requiring the Company to remedy its violations of Reg 500.  Each violation of Reg 500 carries a potential penalty of up to $1,000 and DFS is taking the position that each instance where NPI was subject to unauthorized access constituted a separate violation.  DFS alleges that hundreds of millions of documents were exposed to potential unauthorized access as a result of First American’s alleged violations and that, according to the Company’s own analysis, more than 350,000 documents were accessed without authorization as a result of the Company’s website vulnerability.  If DFS’s position on what constitutes a single violation prevails, First American could be exposed to hundreds of millions of dollars in civil penalties.

The case against First American may signal that DFS, after giving covered organizations several years to get their compliance programs in order, now intends to aggressively enforce Reg 500’s requirements.  To prepare for this eventuality, subject organizations need to closely scrutinize their compliance programs – including their policies and procedures for conducting security reviews and risk assessments, and for investigating and responding to security incidents – and take proactive steps to plug any gaps in those programs.  

Jackson Lewis P.C. © 2021National Law Review, Volume X, Number 230

About this Author

Damon Silver, Employment Lawyer, Corporate Matters, Jackson Lewis

Damon W. Silver is an Associate in the New York City, New York, office of Jackson Lewis P.C.

In his Privacy, e-Communication and Data Security practice, Mr. Silver advises clients in various industries on compliance with federal and international privacy laws, including HIPPA, the ADA, GINA, FMLA, the TCPA, FCRA, and the EU-U.S. Privacy Shield. He also provides guidance to organizations on data breach prevention and response. 

In the area of employment litigation, Mr. Silver defends...

Catherine Tucciarello Labor Employment Attorney Jackson Lewis

Catherine Tucciarello is an Associate in the New York City, New York office of Jackson Lewis P.C.

Ms. Tucciarello regularly represents employers in workplace law matters, including providing preventive advice and counseling, and workplace trainings.

In her Privacy, Data and Cybersecurity practice, Ms. Tucciarello advises clients in various industries on compliance with federal and international privacy laws, including HIPAA, the ADA, GINA, FMLA, the TCPA, FCRA, and the EU-U.S. Privacy Shield. She also provides guidance to organizations on data...