The New York State Department of Financial Services (DFS) has announced a $1 million penalty against First American Title Insurance Co. for violating DFS’s cybersecurity regulation, following a significant breach in May 2019 that exposed consumers’ nonpublic information.
The breach, leading to the exposure of sensitive consumer data, prompted the imposition of penalties on the company and required it to implement remedial measures outlined in the consent order to bolster consumer data security.
First American gathers personal and financial data stored in its proprietary EaglePro application, handling information related to title documents. Senior management became aware in May 2019 of a vulnerability in EaglePro, enabling anyone possessing the access link to view not only their documents without authentication but also unrelated individuals’ information in separate transactions.
DFS’s investigation revealed that First American violated cybersecurity regulations by lacking effective governance, classification, access controls, identity management, and risk assessment policies. Consequently, EaglePro lacked adequate access controls, allowing unauthorized users access to consumers’ nonpublic information.
Acknowledging the insurer’s cooperation during the investigation and subsequent implementation of corrective measures, DFS highlighted the significance of its cybersecurity regulation, effective since March 2017. Recent amendments in November aimed to fortify cyber governance, diminish risks, and enhance protections for New York businesses and consumers against evolving cyber threats.
