August 8, 2020

Volume X, Number 221

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

NYDFS - First Enforcement Action Under Cybersecurity Regulation

On July 21, 2020, the New York Department of Financial Services (NYDFS) announced that it had filed its first enforcement action under 23 NYCRR 500 (the “Cybersecurity Regulation”) against First American Title Insurance (the “Company”), a large title insurance provider.

IN DEPTH


According to NYDFS’ Statement of Charges and Notice of Hearing (the “Statement”), the Company maintained a database with tens of millions of documents that included sensitive personal information, such as Social Security numbers, bank account information and mortgage and tax records. The Company also maintained a web-based title document delivery application that allowed certain individuals to access and share documents from the database with outside parties. As a result of a 2014 software update, the Company allegedly created a vulnerability in the document delivery application that led to the exposure of more than 850 million documents, many of which contained sensitive nonpublic personal information (NPI), including financial information, of consumers. NYDFS contends that the Company discovered the vulnerability and data exposure in a penetration test carried out in December 2018 but did not remedy the vulnerability until May 2019, when a security reporter reported on the vulnerability.

NYDFS alleges that the vulnerability and resulting exposure of NPI, caused in part by lack of reasonable access controls, was further compounded by a series of errors and flaws in the Company’s cybersecurity program and remediation. NYDFS further alleges that the Company’s actions and/or practices amounted to the following six violations of the Cybersecurity Regulation:

  1. Failure to conduct a risk assessment for data stored in its database and document delivery application in violation of 23 NYCRR 500.02;

  2. Failure to maintain and implement data governance and classification policies that were appropriate to the Company’s business model and risks in violation of 23 NYCRR 500.03;

  3. Failure to limit user access privileges to information systems that provide access to NPI and periodic review of such access privileges in violation of 23 NYCRR 500.07;

  4. Failure to conduct periodic risk assessments that were sufficient to inform the design of the cybersecurity program in violation of 23 NYCRR 500.09;

  5. Failure to provide regular cybersecurity awareness training updated to reflect risks identified in the annual risk assessment to employees and affiliated title agents in violation of 23 NYCRR 500.14;

  6. Failure to implement controls, including encryption, to protect NPI held or transmitted both in transit over external networks and at rest in violation of 23 NYCRR 500.15.

NYDFS is seeking civil monetary penalties, an order for the Company to remedy any violations and other just relief as is so ordered. While the Statement does not indicate how the total penalty may be calculated or the number of New York residents potentially impacted, NYDFS may seek a penalty of up to $1,000 per violation under New York law. The NYDFS has stated that each instance of NPI encompassed within the charges is a separate violation, meaning the monetary penalty could potentially be significant. NYDFS will hold a hearing on these alleged violations on October 26, 2020.

Key Insights

Covered entities should closely monitor this enforcement action. It not only provides key insights into NYDFS’ enforcement priorities and expectations but also may provide guidance in relation to obligations under insurance data security laws that are increasingly being adopted by states across the United States.

The Statement does not allege direct harm to New York (or other) consumers, which further illustrates the importance of adhering to the letter and spirit of the Cybersecurity Regulation, because potential enforcement action under the Cybersecurity Regulation need not be based on actual consumer harm.

Key insights include:

Follow Policies and Procedures Informed by Risk Assessments

NYDFS makes clear with this enforcement action that cybersecurity is not simply a paper exercise. It is crucial that covered entities not only implement cybersecurity policies and procedures but that they follow such policies and procedures. Cybersecurity policies and procedures must be informed by comprehensive risk assessments carried out by individuals well versed in the entity’s systems and the data being collected. Covered entities must also act in accordance with their cybersecurity policies and procedures, including in remedying any vulnerabilities or deficiencies identified by a risk assessment.

According to the Statement, the Company allegedly failed on multiple fronts, both in designing its cybersecurity policies and procedures and by failing to act in accordance with such policies and procedures. The Company’s cybersecurity policies required a security overview report for each application and a risk assessment for data stored or transmitted by any application. NYDFS contends the Company failed to perform a security overview or risk assessment for its document delivery application, and as a result, after the discovery of the vulnerability, the Company failed to identify that NPI was being stored and transmitted through the application, contributing to the misclassification of the severity of the vulnerability and data exposure.

The Statement further alleges the Company did not: (i) act in accordance with its cybersecurity policies and procedures by failing to remedy the vulnerability in accordance with the time periods set out in its policies; (ii) follow the recommendations of its cybersecurity personnel to conduct further review and investigation of the vulnerability; and (iii) act to improve the process for tagging documents with NPI to prevent their release, despite being aware that the process was “highly prone to error” and that potentially millions of documents were incorrectly tagged and thus exposed.

Remediate Significant Vulnerabilities Quickly

Once a vulnerability is identified, covered entities must act quickly to appropriately classify and remediate the vulnerability. Covered entities must involve the appropriate personnel in the response, and there must be accountability for the remediation.

The Statement accuses the Company’s Cyber Defense team of incorrectly classifying the vulnerability as “medium severity” based on the mistaken belief that the document delivery application did not transmit NPI. (The Statement also alleges the vulnerability was inadvertently reclassified as “low severity” in the vulnerability tracking system, further delaying the time in which the vulnerability was corrected.) NYDFS contends this improper classification was further compounded by the Company’s “willful failure” to remediate the vulnerability for six months after it was discovered, allowing “unfettered access” to millions of documents with NPI until June 2019. The Company also allegedly assigned remediation to a new employee with little security experience and did not provide the employee with the penetration test report detailing the vulnerability, information about the severity of the vulnerability or applicable policies for security and remediation.

Conduct a Reasonable Review

Once a vulnerability is discovered, a covered entity must conduct a reasonable investigation. NYDFS will assess the reasonableness of a covered entity’s investigation and remediation of a vulnerability.

The Statement alleges that, after the penetration test report identified the vulnerability and potential data exposure, the Company did not reasonably investigate, reviewing only 10 documents, none of which included NPI, despite knowing that hundreds of millions of documents may have been exposed. NYDFS describes this review as a “preposterously minimal review,” alleging that its inadequacy contributed to the Company failing to understand the severity of the risk and the sheer volume and sensitivity of the NPI that may have been exposed.

Undertake Cybersecurity Awareness Training

Covered entities must provide regular cybersecurity awareness training for all personnel. Covered entities must also carefully consider who should receive training, including, for example, agents that have access to a covered entity’s systems or databases.

The Company allegedly failed to adequately provide cybersecurity awareness training. NYDFS further alleges that senior employees involved with the information systems lacked knowledge of whether the document delivery application included NPI. Additionally, NYDFS alleges the Company did not provide cybersecurity awareness training to affiliated title agents despite them being able to access its systems and documents.

© 2020 McDermott Will & EmeryNational Law Review, Volume X, Number 211

TRENDING LEGAL ANALYSIS


About this Author

H. Michael Byrne Insurance Lawyer McDermott Will & Emery Law Firm
Partner

H. Michael (Mike) Byrne has extensive experience in complex insurance transactions, regulation and InsurTech matters. He advises US and international insurers and reinsurers, investors, producers and technology companies on a broad range of matters, including obtaining regulatory approvals for M&A, change of control and affiliate transactions; forming, licensing and structuring business operations; drafting and negotiating agreements; M&A involving producers and service providers; and developing and obtaining approvals for unique products. He delivers practical and business-focused...

1 212 547 5388
Laura E. Jehl Partner Global Privacy & Cybersecurity  Autonomous Vehicles  Compliance  Consumer Data & Digital Marketing  Cross-Border Data Protection  Data Breach Management  Data Licensing & Strategies  Employer Data Privacy  Health Information Privacy  Information Security & Risk Mitigation  Privacy Litigation & Governmental Investigations  FinTech and Blockchain  Technology & Commercial Transactions  Telecommunications Transactions  Energy  Food, Beverage & Agribusiness  Healthcare  Technology  Alcohol
Partner

Laura Jehl serves as global head of the Firm’s Privacy and Cybersecurity Practice. Focusing on the intersection of data, law and emerging technologies, Laura advises clients on a broad range of privacy and cybersecurity issues. She has extensive experience identifying and mitigating privacy and data protection issues arising out of the collection, use and storage of data as well as the design of new business models, products and technologies. With unique experience as a former senior in-house counsel and C-suite executive, she understands the business, legal and technological challenges and opportunities her clients face and helps develop innovative approaches to maximize the value of their data-based assets.

 

Laura handles complex data security incidents, including large data breaches in the healthcare, internet, social media and hospitality sectors, among others. She directs forensic investigations, advises on notifications to US and international regulators, and leads sensitive interactions with law enforcement and national security agencies related to cyber incidents.

Laura also advises on US and international privacy and cybersecurity compliance, including obligations imposed by the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). She also advises clients on the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Electronic Communications Privacy Act (ECPA), the Children’s Online Privacy Protection Act (COPPA), and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), as well as other breach notification and data security laws. She has helped hundreds of clients build and enhance comprehensive privacy programs, while anticipating emerging and quickly evolving privacy and security obligations.

Laura also represents clients in connection with legal and regulatory issues presented by emerging technologies, including blockchain, cryptocurrencies and digital identity solutions.

202-756-8930
Jaime B. Petenko Technology and Cybersecurity Attorney McDermott Will Emery Law Firm Wilmington
Counsel

Jaime Petenko addresses the complex issues presented by emerging technologies. She has a deep understanding of international, federal and state privacy and data protection rules, regulations and guidance, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). She counsels clients on identifying risks related to global data collection, use and storage and managing compliance obligations. Jaime’s corporate background gives her a unique perspective on privacy and data protection. Jaime also advises on legal and regulatory...

302 485 3915
Jaime B. Petenko Technology and Cybersecurity Attorney McDermott Will Emery Law Firm Wilmington
Counsel

Jaime Petenko addresses the complex issues presented by emerging technologies. She has a deep understanding of international, federal and state privacy and data protection rules, regulations and guidance, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). She counsels clients on identifying risks related to global data collection, use and storage and managing compliance obligations. Jaime’s corporate background gives her a unique perspective on privacy and data protection. Jaime also advises on legal and regulatory...

302 485 3915