The New York Department of Financial Services ("NYDFS") has commenced its first enforcement action under New York's Cybersecurity Requirements for Financial Services Companies.1 Part 500, which requires financial institutions subject to NYDFS jurisdiction to establish and maintain certain cybersecurity standards to protect Nonpublic Information ("NPI") within their control, has been described as a "first in the nation" regulation due to its detailed cybersecurity obligations. NYDFS has prioritized compliance with Part 500 in regular and targeted examinations of NYDFS-supervised institutions, and now has taken the next step in an enforcement action against First American Title Insurance Company.
Part 500 took effect in 2017 and was fully implemented as of March 2019. Pursuant to its mandates, entities under NYDFS jurisdiction must implement appropriate cybersecurity policies and procedures based on risk assessments for NPI, which because of its inclusion of certain business-related information is quite broad and unlike many other data protection standards. Effective controls, employee training, and good governance are also required.
THE NEW ACTION
In a Statement of Charges and Notice of Hearing,2 the NYDFS alleges that First American – the second largest title insurance provider in the United States, handling millions of documents containing sensitive personal information – violated numerous Part 500 requirements.
Among other things, the Notice alleges that First American failed to address a known vulnerability in its document-handling program, exposing millions of documents containing NPI. Although it is still unclear how many documents were exposed, by its own analysis, First American identified that, in an 11-month period, approximately 350,000 documents that should have been restricted were accessed by automated programs scraping the internet.
The Notice states that the NYDFS determined that First American had stored documents used to obtain title insurance (many of which contain NPI such as Social Security numbers and financial account information) in a proprietary document management system known as FAST.
According to the Notice, in order to share documents stored in FAST with title agents or parties to a real estate transaction, First American implemented EaglePro, a webbased title document delivery system. Documents in EaglePro allegedly were accessible through a website link shared by parties to a transaction with each other.
Because documents in EaglePro were sequentially numbered and users were not required to verify their identities, any person – including unauthorized individuals – with an EaglePro link allegedly could change a number in the URL to access other documents available through the platform. Unauthorized individuals could also find and view documents containing NPI in Google search results. As of 2019, website links did not have expiration dates.
The Company's Cyber Defense Team discovered this vulnerability in December 2018 and quickly alerted the EaglePro Application Development Team. The Cyber Defense Team issued a report in January 2019 describing the vulnerability, but according to the Notice, the Company did not take steps to remediate the vulnerability for at least six months thereafter.
ALLEGED CYBERSECURITY FAILURES
The NYDFS Notice describes First American's response to the EaglePro vulnerability as "a cascade of errors." The alleged errors include:
- Failing to follow its own cybersecurity policies by not performing a risk assessment or a security review of EaglePro;
- Underestimating the level of risk associated with the EaglePro vulnerability by internally classifying it as "medium severity," due to its mistaken belief that EaglePro could not transmit NPI;
- Delaying addressing the vulnerability because of a subsequent misclassification as a "low severity" vulnerability due to an administrative error;
- Failing to conduct further risk assessments against the advice of the Cyber Security Defense Team;
- Failing to follow its own internal policies and controls to address the EaglePro vulnerability;
- Assigning an unqualified and uninformed employee with little experience in data security to fix the vulnerability; and
- Maintaining an inadequate manual process subject to human error for identifying documents with NPI, compounded by insufficient training.
The Notice stresses, as a central allegation, that First American not only "lacked adequate controls" to protect NPI, but also failed to conduct an adequate risk assessment.
The NYDFS's new enforcement action clearly underscores that, to comply with Part 500, covered entities must conduct thorough risk assessments and promptly institute controls sufficient to address identified cybersecurity vulnerabilities. The risk assessment requirement is a cornerstone of Part 500 and should serve as the basis upon which covered entities' cybersecurity programs and policies are developed and maintained.
Without a thorough and meaningful risk assessment, based on legal standards such as those contained in Part 500, a covered entity is unlikely to identify and implement the risk-based controls required to protect its information systems and NPI or to effectively identify vulnerabilities that should be remediated.
The enforcement action thus serves as a lesson for industry participants to not only take care in developing compliant cybersecurity programs, but to ensure that such programs are properly implemented and continually reevaluated through self-testing.
1. 23 NYCRR Part 500.
Originally published by Pratt's Privacy & Cybersecurity Law Report – Lexis Nexis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.