In a landmark legal case that could test cybersecurity regulations and associated penalties, The New York State Department of Financial Services (DFS) has filed cybersecurity charges against First American Title Insurance Company, one of the largest providers of title insurance in the United States.
This marks the first time DFS has filed cybersecurity charges that allege an organization violated its Cybersecurity Regulation, according to a prepared statement.
The case is of particular note to MSSPs (managed security services providers) and IT consulting firms that support financial services firms in New York. Moreover, attorneys general from other states are watching the case to see how well cybersecurity regulations -- and associated financial penalties -- hold up in court.
DFS alleges that a security vulnerability in First American's information systems led to the exposure of consumers' sensitive personal information over the course of several years. It also claims that First American failed to remedy the exposure after it was discovered in December 2018.
A Closer Look at DFS's Cybersecurity Charges Against First American
DFS alleges that First American did not comply with provisions of its Cybersecurity Regulation, including:
First American violated six provisions of the Cybersecurity Regulation, DFS alleges. Any violation of Section 408 of this regulation with respect to a financial product or service carries penalties of up to $1,000 per violation, and each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.
Next Steps: October Hearing
DFS will host a hearing regarding the cybersecurity charges against First American on Oct. 26, 2020.
The New York State Department of Financial Services (DFS) alleges that First American Title Insurance Company put its customers' sensitive data in danger.
