October 28, 2020

Volume X, Number 302


October 27, 2020

Subscribe to Latest Legal News and Analysis

October 26, 2020

Subscribe to Latest Legal News and Analysis

What the First Enforcement Action under NYDFS Cybersecurity Reg Means to Companies

Late this summer the New York Department of Financial Services (NYDFS) announced its first enforcement action since the cybersecurity rules went into effect in March 2017. The action was brought against First American Title Insurance Co. as a result of a 2018 data breach exposing 850 million customer records containing sensitive personal information.

NYDFS charged First American with violating six provisions of the Cybersecurity Regulation, arguing that, among other violations, First American:

  • failed to utilize risk assessments, security reviews, and its own cybersecurity policies when investigating the vulnerability and sensitive data associated with the vulnerability;

  • misclassified the vulnerability as a “low” severity, and subsequently failed to investigate under the criteria set forth in its cybersecurity policies;

  • did not conduct a reasonable investigation into the vulnerability even after its detection in December 2018, and instead only reviewed 10 of the millions of exposed documents; and

  • failed to follow the advice of its own in-house cybersecurity team to further investigate and remedy the vulnerability.

The statement of charges highlight the NYDFS’s cybersecurity concerns. Namely that a company: (i) encrypt documents containing non-public information (NPI); (ii) limit user access to NPI through access controls, and (iii) provide regular cybersecurity awareness training, as required by the regulations.  The NYDFS is seeking civil monetary penalties and an order to remedy the alleged violations, and a hearing is set for October 26.

The NYDFS is not alone in its pursuit to hold companies accountable for what it perceives are failures to implement adequate cybersecurity measures and adequately respond to data incidents.  The New York Attorney General’s office has similarly recently pursued enforcement actions against companies the AG’s office believes have failed to adequately respond to data incidents and address cybersecurity, with the settlement of at least one such enforcement action requiring augmentation of cybersecurity practices, detailed incident response procedures, and the payment of fines.

Putting it Into Practice: The enforcement action highlights the importance that should be placed on properly assessing and categorizing the severity of risks associated with cybersecurity vulnerabilities and taking swift and necessary action to respond to such risks. It also serves as a reminder of the expectation that companies have, test, and internal policies and procedures for incident response. Lastly, employees responsible for addressing remediation items identified in the aftermath of a security incident should be armed with appropriate resources and background to effectuate change.  Without measured, proactive attention to cybersecurity and incident response, companies could face enforcement actions and fines and penalties following the disclosure of a data breach.  

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 267



About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums.

Ms. Rollins serves as a trusted advisor to her clients, bringing a focused, strategic approach to complex litigation and investigation matters alike. Her clients praise her ability to efficiently and effectively manage complex matters with multiple moving pieces, and to concisely and persuasively communicate the core issues of her clients’ cases to judges, regulators, and opposing counsel. These traits have enabled Ms. Rollins to successfully argue critical motions, procure dismissals, and achieve successful resolutions for her clients.


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...