NYDFS Brings First Enforcement Action Under Cybersecurity Regulation Against Title Insurer Seeking Civil Monetary Penalties

The New York Department of Financial Services (NYDFS) recently brought its first statement of charges against a title insurer under New York’s Cybersecurity Regulation after the NYDFS discovered an alleged security vulnerability on the company’s website that potentially exposed sensitive nonpublic customer information in 2018, which the company failed to promptly fix.  The NYDFS alleges that the company violated several provisions of the Cybersecurity Regulation by failing to: (i) perform proper risk assessments and failing to create an effective cybersecurity program; (ii) failing to maintain risk-based policies for access to consumer information; (iii) failing to properly limit access to information systems containing nonpublic information; (iv) failing to adequately train employees on cybersecurity; (v) and failing to use encryption and other tools to protect nonpublic information.

The NYDFS Cybersecurity Regulation requires Covered Entities to safeguard nonpublic consumer data with effective cybersecurity policies and procedures.  Covered Entities include licensees of the Department of Financial Services.  In this case, the company is licensed to provide title insurance in New York.  Importantly, however, the statement does not identify any New York consumers that were affected by the website vulnerability. 

Specifically, the NYDFS alleges that from October 2014 to May 2019, the company’s website allowed third parties to manually alter URLs, which exposed sensitive consumer data without the need to log in or use another form of authentication.  Further, the vulnerability was discovered in December 2018 when the company conducted a penetration test.  In this case, the company used FAST, a document database, and EaglePro, a title document delivery system, which allowed the company to send external parties certain documents through EaglePro by emailing recipients related to a real estate transaction a URL link to access the documents without requiring the user to login or use another form of authentication.  The URL contained an “ImageDocumentID number” that corresponded to a document in the FAST system, and by altering the ID number, parties could improperly access other consumer’s data.

Despite a report of the penetration test in January 2019 that identified this vulnerability, including potentially 5,000 documents which were subject to Google Indexing for public internet searches, the company’s security team only reviewed 10 documents. The NYDFS alleges that the company failed to address the vulnerability due to “a cascade of errors” in the company’s compliance program.  First, the company improperly coded the vulnerability as “medium severity,” and later “low severity” in the company’s vulnerability tracking system, because the company inaccurately believed NPI was not available as a result of the vulnerability.  Second, the company allegedly failed to create a security overview report and risk assessment under its own cybersecurity policies.  Third, the statement asserts that the company conducted “an unacceptably minimal review of exposed documents” by only reviewing 10 documents of the “hundreds of millions of documents exposed.”  Finally, the NYDFS alleges that the company only acted after media reports exposed the vulnerability, failed to meet a 90 day deadline for remediation, and improperly assigned the remediation to an “unqualified employee.”  NYDFS also alleges that the company’s Chief Information Security Officer disavowed responsibility for remediating the issue.

The NYDFS is seeking civil monetary penalties, an order requiring the company to address deficiencies cited in the enforcement action, and other just relief.