Cybersecurity Enforcement Is Coming & NY Has Set The Stage With Its First NY DFS Case

By Antonia Dumas, Associate at XPAN Law Group, LLC 

With California’s Attorney General’s first steps towards enforcement of the CCPA, data privacy enforcement is a hot topic. However, we should not forget the other side of the coin, cybersecurity enforcement. Just as there has been a rise in data privacy regulatory activity and discussions, there has also been a development of cybersecurity regulations and cybersecurity obligations incorporated within existing regulations. Regulations that address data security and cybersecurity obligations are emerging both at the state level (e.g., Masshachusett’s law imposing written information security policy requirements) and federal level (e.g., Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule and proposed changes to Gramm-Leach-Bliley Act Safeguards Rule adding specific requirements for information security programs). 

New York was the first state to pass cybersecurity specific regulations in the financial industry, the NY DFS Cybersecurity Regulation. And, less than two years after going into effect, we finally have the first enforcement by NY DFS of this regulation. This first cybersecurity enforcement action is significant because “DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, and the National Association of Insurance Commissioners (NAIC).” (See NY DFS’s press release for enforcement action).

So, the long awaited first case against a company enforcing the obligations under the NY DFS will provide us guidance for what may come in cybersecurity enforcement generally. 

First: what is the NY DFS Cybersecurity Regulation?

NYDFS imposes proactive cybersecurity regulations on “covered entities” doing business in New York (including insurance companies, banking institutions, trust companies, budget planners, check cashers, credit unions, and credit monitoring companies). In essence, covered entities are required to meet certain cybersecurity controls to protect information systems and nonpublic information (all electronic information that is not Publicly Available Information) stored on those systems. 

“Publicly Available Information” (carved out of these regulations) includes “any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law.” Section 500.01(j). 

Although the Cybersecurity Regulation was effective as of March 1, 2017 (see XPAN’s previous post) overed entities were required to be compliant through various transition periods (i.e., phases) over two years until the full effective date of March 1, 2019. Section 500.22. Some of the key requirements under the Cybersecurity Regulation include designating a Chief Information Security Officer (CISO), enacting a comprehensive cybersecurity policy, detailed cybersecurity plan, conducting risk assessments, initiating and maintaining an ongoing reporting system for cybersecurity events, and establishing policies for third party service providers.  

Now: the First Cybersecurity Regulation Enforcement Case 

The NY DFS filed a statement of charges against First American Title Insurance Company (one of the largest providers of title insurance in the United States) for violation of the Cybersecurity Regulation for its failure to safeguard consumer information. 

Here is a summary of some key factual allegations made by DFS: 

  • Data Collection: First American “collects, stores, and transmits the personal information of millions of buyers and sellers of real estate in the U.S. each year”, including sensitive personal information “such as social security numbers, bank account and wiring information, and mortgage and tax records”. 
  • Data Storage: First American stores this information in a main repository, FAST image, and uses this information to transact title insurance and settlement orders. 
  • Data Transfers: First American uses a web-based title document delivery system, EaglePro, which allows title agents and other First American employees to share and transmit documents to third parties via email without requiring a third-party login or authentication. 
  • Data Exposure: In October 2014, First American updated the EaglePro system that gave rise to a vulnerability that could essentially allow any viewer (authorized or not) to have access to more than 850 million documents even though they were only given a URL address to access a single document (this was accomplished by simply altering the ImageDocumentID in the URL address for the EaglePro website). 
  • Reporting Data Exposure: First American discovered the vulnerability in December 2018 through penetration testing and notified EaglePro. Then, First American issued a final report in January 2019 describing the URL vulnerability and showing that more than 5,000 documents exposed by EaglePro also had been subjected to Google search engine indexing to facilitate public access. First American did not conduct follow-up investigation (ignoring Cyber Defense Team’s recommendation) and made several errors to correct the vulnerability during the following months. In May, 2019, the incident was reported by journalists to have led to an exposure of 885 million documents (as originally reported in Brian Krebs’ article, followed by, Forbes, etc.). Following these articles, First American reported the incident to DFS and publicly disclosed “the potential for unauthorized access to customer data.”

DFS alleges that First American committed multiple failures, had deficient security controls, and had flaws in cybersecurity practices that led to data exposure of sensitive consumer information. In particular, DFS alleges that First American violated six provisions of the Cybersecurity Regulation. Below is an analysis of each of those alleged violations: 

Cybersecurity Program and Risk Assessment Requirements: 

Section 500.02 – Requires a cybersecurity program (a) designed to project confidentiality, integrity and availability of information systems, and (b) informed by a risk assessment. 

Section 500.03 – Requiries written cybersecurity policy(ies) approved by a senior officer or the board of directors.

Section 500.09 – Requiring periodic risk assessments to inform the design of the cybersecurity program. Requires assessments to be updated as reasonably necessary to address changes (to systems, information or operations). Requires assessments to “allow for revision of controls to respond to technological developments and evolving threats.” Further requires that risk assessment be carried out in accordance with written policies and procedures. 

In the statement of charges, DFS’ alleges that First American: 

  • Failed to follow its own cybersecurity policies by failing to conduct required security overview or risk assessment for EaglePro. 
  • Grossly underestimated the level of risk (as medium risk) associated with the vulnerability: (1) employees classified risk as medium severity baked on the belief that EaglePro could not transmit personal information; (2) the CISO believed that the date was publicly available and did not constitute as personal information. 
  • Compounded the delay in the timeframe (by 90 days) (through an administrative error) for remediating the vulnerability by inadvertently re-classifying the vulnerability from “medium” to “low” when entered into First American’s vulnerability tracking system.
  • Failed to adhere to internal policies and delaying addressing vulnerability for six months due to misclassification, internal confusion and lack of accountability for responsibility for remediation of vulnerabilities. 
  • Conducted an unacceptably minimal review of exposed documents (only 10 documents out of hundred of millions of exposed documents), and thereby failed to recognize the seriousness of security lapse. 
  • Failed to heed to advice proffered by its own cybersecurity experts (Cyber Defense Team) to conduct further review to determine if sensitive documents were exposed.

Access and Transfer Control Requirements:  

Section 500.07 – Requires limitations on user access privileges. 

Section 500.15 – Requires encryption mechanisms (in transit and at rest).

In the statement of charges, DFS alleges that the URL vulnerability exposed documents without requiring a third-party login or authentication (i.e., allowed unauthorized users to access and did not require encryption in transit or at rest). 

Security Training Requirement: 

Section 500.14(b) – Requires regular cybersecurity awareness training for all personnel.

In the statement of charges, DFS alleges that remediation was ineffectively assigned to an unqualified employee (i.e. an untrained employee). It was a new employee with little experience in data security and the employee was not provided with the penetration test report or applicable policies and standards for data security and remediation, and was offered little support. 

Key Takeaways

Here are some key takeaways to better position your company for cybersecurity compliance and prepare for (and hopefully avoid) enforcement actions: 

  1. Create and maintain an up to date written cybersecurity or information security plan 
  2. Ensure you have qualified individuals that are trained and held accountable for cybersecurity 
  3. Establish and integrate a risk management approach including risk assessments, including assessments of new tools  
  4. Establish and keep up to date cybersecurity and risk assessment policies and procedures 
  5. Ensure initial and regular cybersecurity training is conducted, especially for identifying and managing vulnerabilities 
  6. Generally understand data processing activities and tools used (including third-party tools, data access and data transfer mechanisms)

Overall takeaway: Do not wait for the outcome of cases like this! Starting Preparing TODAY to protect your company data and demonstrate your compliance. And, remember: luck favors the prepared!

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.