NYDFS’ First Cybersecurity Enforcement Action - What Happened and Important Lessons for Organizations
The New York State Department of Financial Services (“NYDFS”) has announced its first enforcement action of NYDFS’ Cybersecurity Regulation, Part 500 of Title 23 (“Cybersecurity Regulation”) against First American Title Insurance Company (“First American”), a leading title insurance provider.
NYDFS alleges that First American exposed hundreds of millions of documents containing consumers’ sensitive personal information (“Nonpublic Information” or “NPI”). According to the Statement of Charges, from at least October 2014 through May 2019, due to a known vulnerability First American’s public-facing website, tens of millions of documents containing consumers’ bank account numbers and statements, mortgage and tax, records, Social Security numbers, wire transaction receipts, and drivers’ license images were viewable on the open internet for access without any login or authentication requirements.
According to the NYDFS, any party or participant in a real estate transaction in which First American was the title insurer received a link to a First American website to access transaction documents. By simply changing the website link by one or more digits, anyone could view transaction documents from a different First American transaction, including the information noted above. According to the Statement of Charges, “in other words, more than 850 million documents were accessible to anyone with a URL address providing access to a single document.”
The NYDFS alleges that deficient controls and other flaws in First American’s cybersecurity practices led to the data exposure, and that multiple failures occurred in First American's handling of the exposure. The Statement of Charges specifically notes the following failures:
Failure to follow internal policies, and neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;
Misclassification of the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American's internal cybersecurity policies;
Failure to conduct a reasonable investigation into the scope and cause of the exposure after discovery by an internal penetration test in December 2018, reviewing only ten (10) of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and
Failure to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
According to the Statement of Charges, although First American became aware of the vulnerability as early as 2018, First American’s cascade of unfortunate errors allowed the vulnerability to persist for an extended period of time even after discovery. On May 24, 2019, Brian Krebs, a cybersecurity journalist, published an article revealing the exposure. Krebs himself was easily able to view highly-sensitive consumer data, including documents that contained NPI such as social security numbers, drivers’ licenses, and tax and banking information. According to the Statement of Charges, following publication of the findings, First American reported the incident to the NYDFS as required under the Cybersecurity Regulation and conducted a forensic investigation. The Statement of Charges goes on to state that First American’s own analysis demonstrated that during the 11-month period following June, 2018, more than 350,000 documents were accessed without authorization by automated “bots” or “scraper” programs designed to collect information on the internet.
The Statement of Charges alleges that First American committed the following violations of the Cybersecurity Regulation:
23 NYCRR 500.02: First American failed to perform risk assessments for data stored or transmitted within its information systems, despite those systems’ transmission and storage of NPI.
23 NYCRR 500.03: First American failed to maintain and implement data governance and classification policies for NPI suitable to its business model and associated risks. Specifically, First American incorrectly classified that an application did not contain or transmit NPI, despite the fact that it did. Additionally, First American did not maintain an appropriate, risk-based policy governing access controls for the application, which failed to prevent the exposure of NPI in millions of documents.
23 NYCRR 500.07: The vulnerability allowed unauthorized remote users to gain access to NPI in First American’s application, and the vulnerability existed due to a lack of reasonable access controls such that any person could access sensitive documents stored in the application by altering a URL.
23 NYCRR 500.09: First American’s risk assessment was not sufficient to inform the design of First American’s cybersecurity program as required by the Cybersecurity Regulation, as indicated not only by First American’s failure to identify where NPI was stored and transmitted through its information systems, but also its failure to identify the availability and effectiveness of controls to protect NPI and information systems.
23 NYCRR 500.14(b): First American did not provide adequate data security training for its employees and affiliate title agents responsible for identifying and uploading sensitive documents into First American’s information systems applications. This failure was especially significant since both the process of identifying sensitive documents and the only control preventing NPI from being distributed through the information systems application depended solely on employees and users correctly identifying sensitive documents and treating them appropriately. As a result, First American did not adopt cybersecurity awareness training that reflected the risks inherent in its operations and led to the vulnerability.
23 NYCRR 500.15: Until the end of 2018, First American failed to encrypt sensitive documents in its systems. Other documents that contained sensitive data but were erroneously not marked as sensitive– were not encrypted until mid-2019. First American did not implement controls suitable to protect the NPI stored or transmitted by it, both in transit over external networks and at rest, nor did First American implement suitable compensating controls approved by its CISO.
Penalties and Hearing Date
The NYDFS is seeking civil monetary penalties, issuance of an order requiring First American to remedy violations, and other appropriate relief. In announcing the Statement of Charges, the NYDFS pointed out that the Cybersecurity Regulation is implemented pursuant to Section 408 of the Financial Services Law, and that violation of Section 408 carries penalties of up to $1,000 per violation. The NYDFS alleges that each instance of NPI encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.
A hearing on the matter will be held on October 26, 2020.
The NYDFS is serious about 23 NYCRR 500 enforcement.
The recently-created NYDFS Cybersecurity Division is making good on the NYDFS’ commitment to increase enforcement, and is looking to make it sting. The NYDFS’ position that each violation carries a penalty of up to $1,000 could lead to astronomical fines for organizations. It is also important to note that the NYDFS did not identify any specific consumer harm, which gives us insight into NYDFS’ perspective that violation of the law is enough to trigger enforcement action.
Do not allow cybersecurity issues to fall into a black hole.
According to the NYDFS, First American discovered the vulnerability in December of 2018, then a series of missteps and incorrect classification of the vulnerability allowed it to persist for months after discovery. Organizations should ensure that their policies and procedures include a thorough risk assessment of discovered vulnerabilities, a well-developed risk classification structure, and effective remediation procedures.
Train your employees and hold them accountable.
The NYDFS noted that First American did not adopt cybersecurity awareness training that reflected the risks inherent in its operations, and that when questioned by the NYDFS, First American’s CISO disavowed ownership of certain known cybersecurity issues, stating that specific departmental controls were not the responsibility of First American’s information security department. Adequate employee training on cybersecurity awareness, and holding employees accountable upon becoming aware of cybersecurity issues, could have provided First American with a critical backstop. In organizations where employees are well-trained in cybersecurity awareness, there is a stronger likelihood that someone will step in and remediate cybersecurity issues before they cause harm to the organization. Additionally, where employees are held accountable (or even better, view cybersecurity as a team effort), they are less likely to ignore cybersecurity issues that they become aware of.
Ensure that your security measures don’t just exist on paper – but also in practice.
The only thing worse than not having a good information security policy is having one that is inaccurate or is not followed. According to the NYDFS, First American failed to adhere to its own policies in ways that likely allowed the vulnerability to persist. Organizations should remember that drafting good policy is entirely meaningless if those policies are not implemented and followed.