New York Cyber Regime Takes Action

As much as our worlds have been upended by the ubiquitous pandemic, some things proceed apace.

On July 21, the New York Department of Financial Services announced that it filed its first enforcement action under the cyber-security regulatory regime it put into place in 2017—perhaps emblematic of such “normalcy.” This also is the first enforcement action of the new DFS Cybersecurity Division created last year to consolidate the department’s cyber-security oversight and enforcement activities and to separate those regulatory activities from the Banking, Insurance, and Consumer Protection and Financial Enforcement Divisions of DFS. So what guidance can we glean from this initial enforcement overture?

Claims-Based Enforcement, at Least for Now.

As noted in the “Statement of Charges” complaint filed by DFS, an article published in May 2019 alleged that First American Title Insurance Company had exposed as many as 885 million documents since as early as 2003. According to the article, many of those documents contained non-public personal information (NPI), and, through a public internet portal, the reporter himself “was easily able to view highly-sensitive consumer data, including documents that contained NPI such as social security numbers, drivers’ licenses, and tax and banking information.”

After publication of the article, First American reported the incident to DFS and publicly disclosed that this “vulnerability” existed and that documents containing customer NPI “were potentially exposed.” It appears that DFS then initiated an extensive investigation that resulted in charges issued against First American.

You Have to Adhere to Your Cyber-Compliance Plan.

The complaint asserts that the “vulnerability” was first discovered by First American’s cyber defense team during a penetration testing exercise conducted in December 2018. An internal report issued by that team in early January 2019 noted that thousands of documents had been exposed through simple Google searches that allowed the bypassing of normal authentication mechanisms to access First American documents.

The department asserts that First American failed to adhere to its policy, which requires remediation of any identified exposures—regardless of how minimal the severity—within 90 days of discovery.

DFS also takes First American to task because its policies required separate risk assessments for every software application it maintained through which data was stored or transmitted but, according to the DFS allegations, no assessment ever was done of the application that had the “vulnerability.”

Finally, First American’s policy incorporated the requirement that documents containing NPI be encrypted as of Sept. 1, 2018, but First American allegedly did not encrypt its “tens of millions of documents containing NPI until approximately December 2018[.]”

Your Assessments and Decisions Will Be Questioned.

According to the complaint, no attempt to fix the “vulnerability” effectively was made until after the publication of the article. DFS blames this failure on a number of judgments it characterizes as miscalculations, as it asserts that First American:

• Conducted an “unacceptably minimal review of exposed documents, and thereby failed to recognize the seriousness of the security lapse”
• Failed “to heed advice” given by its own in-house cyber-security team, which had recommended conducting more extensive reviews
• Improperly characterized—through an “apparent administrative error”—the magnitude of the threat posed by the “vulnerability,” which “compounded the delay in the timeframe for remediating the ‘vulnerability’”
• “Ineffectively assigned” the remediation responsibilities to an “unqualified employee” who was not properly briefed on the nature or scope of the “vulnerability.”

Your Cyber-Security Team Will Be Questioned and Any Failure to Adhere to Recommendations Will Be Challenged.

DFS recounts in its complaint in some detail information it gleaned from interviews and email document reviews that list various security recommendations that were made and not adopted. For example, recommendations made after publication of the article to limit access to the vulnerable application to authenticated users or to disallow transmission of documents containing NPI through that application both apparently were flatly rejected by the company’s management.

The Cyber-Security Team Members Each Need to Be Clear on Their Roles and Responsibilities.

One of the more glaring components of the complaint is the focus given to the fact that cyber-security team members individually disclaimed knowledge of the “vulnerability” and responsibility for implanting various components of First American’s cyber-security plan and control protocols.

Training, Training, Training.

DFS asserts that many individuals who used First American systems containing NPI—including outside independent agents who submit information to First American through its portals—were not properly trained in NPI handling procedures and protocols.

So where does that leave us? My takeaways:

• Revisit your cyber-security policies to ensure they meaningfully reflect the requisite (and regular) risk assessments and that you are living the policies or adjusting them to better fit your actual practices.
• Fix any identified vulnerabilities as expeditiously as possible.
• To the extent cyber-security recommendations are rejected, be sure that you have a sound basis for the rejection that is well documented.
• Ensure that your cyber-security professionals are clear on their roles and responsibilities.
• Train, train, train—including any third parties that handle NPI on your behalf or that have access to any component of your systems through which NPI can be accessed.

In some respects, the five-count Statement of Charges covers the gambit of potential violations and presents a dream initial enforcement initiative from DFS’s perspective. The hearing currently is scheduled for Oct. 20, 2020.