On Tuesday, July 21, 2020, the New York Department of Financial Services (the “NYDFS”) brought its first enforcement action under its Cybersecurity Regulation (the “Regulation”) against a large title insurer (the “Company”) for failing to protect sensitive personal information. The NYDFS is seeking civil monetary penalties, an order requiring the Company to remedy the alleged violations, and any other relief deemed just and appropriate. Although the NYDFS previously investigated Equifax which resulted in a consent order in July 2019, the NYDFS reported that this is the first enforcement action under the Regulation since it took effect beginning on March 1, 2017.
According to the Statement of Charges and Notice of Hearing (the “Statement of Charges”), the national title insurance company with services in New York state maintained a database with millions of documents containing sensitive personal information, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images. The Company also maintained a web-based document delivery application through which title agents and Company employees could access documents in the database and share them with outside parties as part of real estate transactions. To share documents, the agent or employee would email a participant of the real estate transaction a URL that would allow access to the document. Anyone who was provided with the link or the URL could access the document without a further authentication measure.
Allegedly, in October 2014, the Company, in an update to the document delivery application, created a vulnerability that allowed anyone to change the document identification number in the URL (which numbers were assigned sequentially) to view and access documents to which they did not have authorized access. The NYDFS contends that the Company discovered the vulnerability in a penetration test in December 2018, and the Statement of Charges reports that at the time the Company did not appear to discover non-public personal information in a small sample of the records identified by the penetration test. However, the penetration test team allegedly recommended to investigate the vulnerability further. According to the NYDFS, the Company did not fix the vulnerability until May 2019 when the vulnerability was publicized by Krebs on Security.
The NYDFS contends in the Statement of Charges that the Chief Information Security Officer “disavowed ownership of the issue” by not adopting appropriate controls because such controls were not seen as the responsibility of the Company’s information security department. Allegedly, the only control preventing the Company from using its application to send personal information was an instruction to users not to send such information. The Statement of Charges states that instead of the Company implementing “centralized and coordinated training” on security procedures, it charged individual business units with enforcing and training users on such procedures.
The NYDFS brought the enforcement action for violations of several provisions of the Regulation covering the time period of March 1, 2017, when the Regulation took effect, until May 24, 2019, when the vulnerability was remediated. The Company allegedly violated the following Sections:
- 500.02 (Cybersecurity Program) by failing to conduct risk assessments for nonpublic information stored and transmitted within its system, including in its database and web application;
- 500.03 (Cybersecurity Policy) by not (i) maintaining and implementing data governance and classification policies and (ii) maintaining an “appropriate, risk-based policy governing access controls” for its application;
- 500.07 (Access Privileges) by not implementing reasonable access controls and instead allowing unauthorized remote users to gain access to nonpublic information in the Company’s database;
- 500.09 (Risk Assessment) by not conducting a risk assessment sufficient to inform the Company’s cybersecurity program, particularly given the Company’s alleged “failure to identify where [nonpublic information] was stored and transmitted through its Information Systems” and the availability and effectiveness of its controls;
- 500.14(b) (Training and Monitoring) by not providing adequate data security training to the Company’s personnel responsible for identifying and uploading sensitive documents to the Company’s database and using its web application; and
- 500.15 (Encryption of Nonpublic Information) by failing to implement controls, including encryption, and adopt compensating controls required to be approved by the Company’s CISO to protect nonpublic information.
In addition to these specific charges, the NYDFS contends that the Company mistakenly mischaracterized the level of risk as “medium severity” because the Company did not believe that its application could transmit personal information. Allegedly, the Company’s CISO testified that she believed that only public data was transmitted through the application, and the NYDFS found that the Company’s review of a small sample of exposed documents contributed to the mischaracterized risk level. Further, the NYDFS contends that an administrative error caused the medium-level risk to be reclassified as a low-level risk. Nonetheless, the NYDFS asserts that even had “low severity” been an appropriate designation, the Company failed to remedy the vulnerability in the timeframe provided in its internal policies for low-severity risks. According to the Statement of Charges, the Company placed the responsibility to remediate the vulnerability on an inexperienced employee who was not provided the appropriate policies, standards and support to address the issue.
Notably, in the Statement of Charges, the NYDFS did not mention any harm specific to New York residents although it identified that the Company’s own analysis showed more than 350,000 documents were accessed without authorization by “bots” or “scrapers” programs.
A hearing will be held before a hearing officer appointed by the Superintendent of Financial Services (the “Superintendent”) at the NYDFS office beginning on October 26, 2020 to determine whether the Company violated the Regulation. The NYDFS is seeking civil monetary penalties under Section 408 of the New York Financial Services Law which permits the Superintendent to issue a penalty of up to $1,000 per violation. It is unclear how the total penalty may be calculated, particularly given that the NYDFS did not provide in the Statement of Charges a concrete number of records believed to be exposed and, more specifically, the number of those records that pertain to New York State residents. However, the penalty could be extensive with potentially tens of millions of documents stored on the Company’s systems. In addition to civil monetary penalties, the Superintendent is also seeking an order requiring the Company to remedy any violations found and other appropriate relief.
A fully copy of the Statement of Charges and Notice of Hearing can be found here.