New York Files First 23 NYCRR 500 Enforcement Action

On July 21st, 2020, the New York Department of Financial Services (NYDFS) announced that it had filed its first enforcement action under the 23 NYCRR 500 cybersecurity regulation against First American Title Insurance, a large title insurance provider headquartered in Santa Ana, California. According to the NYDFS Statement of Charges and Notice of Hearing, for more than four years, First American Title Insurance Company exposed tens to hundreds of millions of documents that contained consumers’ sensitive personal information including bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images. From at least October 2014 through May 2019, due to a known vulnerability on First American’s public-facing website, more than 850 million documents were accessible to anyone with a web browser and the URL address, allowing access to the documents without any login or authentication requirements.

The vulnerability was first introduced during an application software update in May 2014 and went undetected for years. First American’s mishandling of its own customers’ data was compounded by its willful failure to remediate the vulnerability, even after it was discovered by a penetration test in December of 2018. Remarkably, First American instead allowed unfettered access to the personal and financial data of millions of its customers for six more months until the breach and its serious ramifications were widely publicized by nationally recognized cybersecurity industry journalist Brian Krebs.

The NYDFS is seeking civil monetary penalties, issuance of an order requiring First American Title Insurance Company to remedy violations, and other appropriate relief. Though the exact monetary penalty is yet to be determined, violations can carry up to a $1,000 fine per violation. The NYDFS alleges that each instance of nonpublic information (NPI) exposure outlined within the charges constitutes a separate violation, carrying up to $1,000 in penalties per violation. Multiply that by the tens to hundreds of millions of documents that were exposed, and the monetary penalty could be colossal, not to mention the damage to the brand reputation of the company!

23 NYCRR 500 Regulation Background

Back in 2016, hackers stole $81 million from the Federal Reserve Bank of New York. The total could have actually been $1 billion had the perpetrators not made a typo in one of their fraudulent transfer requests, which brought the operation to a halt. That attack was just the tip of the proverbial iceberg, raising enough concern for the Society for Worldwide Interbank Financial Telecommunication (SWIFT) to call for several new security measures, including two-factor authentication to verify system messages.

Around the same time, New York’s Attorney General announced efforts to electronically streamline data breach notification in the wake of a record number of breaches. New York’s Department of Financial Services (NYDFS) proposed 23 NYCRR 500 (Cybersecurity Requirements for Financial Services Companies) that same year.

Effective March 1, 2017, covered entities were required to make their first annual certification filings by February 15, 2018. Any institution operating, “…under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” must comply with the regulations. Therefore, if you engage in any financial business in the State of New York, you must follow the rules (entities with fewer than 10 employees, less than $5 million in gross annual revenue, or less than $10 million in year-end total assets are exempt).

NYDFS built in a two-year transition period to allow covered entities to gradually address each component, rather than overwhelming them with everything being resolved in one fell swoop. That period ended March 1, 2019, so now thousands of institutions in New York must be in total compliance with the following major areas:

• Section 500.02: Implement a Cybersecurity Program
• Section 500.03: Write and Maintain a Cybersecurity Policy
• Section 500.04: Designate a Chief Information Security Officer
• Section 500.10: Hire Cybersecurity Professionals or Contract Third-party Vendors
• Section 500.16: Develop an Incident Response Plan

Additionally, organizations must conduct regular penetration testing (Section 500.05) and bi-annual risk assessments (Section 500.09), maintain audit trails (Section 500.06), and encrypt sensitive data both in transit and at rest (Section 500.15), among other security practices. The regulations will be enforced by NYDFS “under any applicable laws,” meaning failure to comply can open a company up to civil and criminal actions under existing statute, such as New York’s banking laws.

As with breach notification, NYDFS has created an online portal for all necessary filings. But how do you get to the point where you can file with confidence in the first place? No need to go it alone: Compass IT Compliance can help protect your customers’ data and money from illegal withdrawals by cybercriminals while you focus on your core business. Contact us today to learn more!