First American Title Insurance Company has been hit with a $1 million penalty from the New York State Department of Financial Services due to violations resulting from a cybersecurity breach in May 2019. The attack exposed over 885 million documents of consumers’ non-public data and access to sensitive information including Social Security numbers, driver’s licenses, and financial data dating back to 2003.
The enforcement action is part of DFS’s broader strategy to implement and enforce stringent cybersecurity regulations. By imposing significant penalties and requiring comprehensive remedial measures, DFS is sending a strong message to all entities under its jurisdiction about the seriousness with which it views cybersecurity compliance.
This approach is reflective of a larger trend among governmental agencies, both at the state and federal levels, to prioritize cybersecurity as a key aspect of consumer protection and corporate governance.
Why it matters: This resolution serves as a reminder of the gravity of cybersecurity lapses within organizations. The imposition of a $1 million penalty highlights the tangible consequences associated with inadequate cybersecurity measures, emphasizing the pivotal need for companies, to rigorously adhere to and bolster their cybersecurity protocols to safeguard consumer data effectively.
- In May 2019, First American experienced a large-scale cybersecurity breach, leading to the exposure of consumers’ nonpublic information. DFS found that the company failed to maintain effective governance, classification, access controls, identity management, and risk assessment policies and procedures.
- As a result, First American will pay a $1 million penalty to New York State for violations of DFS’s Cybersecurity Regulation – 23 NYCRR Part 500. In addition to the financial penalty, First American has agreed to implement significant measures to enhance the security of consumer data.
- The DFS Cybersecurity Regulation, effective since March 2017, has been a model for other regulators, including the U.S. Federal Trade Commission and various states. In November 2023, DFS Superintendent Adrienne A. Harris adopted amendments to the Cybersecurity Regulation to further strengthen cyber governance and mitigate risks.