New York's Department of Financial Services Investigates First Post Cybersecurity Regulation's Breach

Insurance and Cybersecurity Law Alert

June 13, 2019

Cynthia J. Borrelli

Cynthia J. Borrelli

Related Services
Insurance
 

The New York Department of Financial Services (NYDFS) has initiated an investigation of real estate title insurance company, First American Financial Corporation (First American), which is the largest title insurance company in the United States. First American recently announced that it had become aware of a design defect in a product application that made unauthorized access to customer data possible. While First American promptly shut down external access to the web application, some data had already been revealed and continues to remain accessible on certain sites. NYDFS reports indicate that approximately 885 million records were exposed over a period of more than 16 years. Records implicated included such information as bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images.

Immediately after news of the First American breach was published, NYDFS sent a letter to First American requesting information relating to the event. This letter is the first test of New York State’s strict new cybersecurity regulations codified at 23 NYCRR 500.00 et seq. Those regulations went into effect in March 2019.

On May 27, 2019, a mere three days after the initial announcement, First American became the subject of a nationwide class action filed in federal court in California alleging the company ignored warnings regarding the security of its network, making it vulnerable to an attack.

The First American incident demonstrates how quickly legal and financial liability can develop following the discovery and announcement of a security incident. Important takeaways from the First American incident include direction to all companies, no matter how large or small, to consider the following:

  • carefully evaluate the impact of any cyber event;
  • review existing contracts with business vendors;
  • document response to any breach incident;
  • review both internal and insurance policies to assure compliance with established procedures (including notice) as well as appropriate coverage.

Questions can be directed to Cynthia Borrelli.