New York DFS Takes First Enforcement Action Under Its Cybersecurity Regulation
On July 22, 2020, the New York State Department of Financial Services (DFS) announced that it brought its first enforcement action against a company over alleged violations of cybersecurity requirements. While this is certainly an important development for financial companies and others subject to DFS jurisdiction, companies not regulated by DFS can use this as an example of how regulators might assess a data breach or incident and the policies or procedures a company implements in response.
In its Statement of Charges and Notice of Hearing, DFS alleged violations of its Cybersecurity Regulation, which became effective in March 2017, with certain provisions taking effect in March 2019. The Regulation requires banks, insurance companies, and other DFS-regulated entities to establish and maintain a cybersecurity program designed to protect consumers and ensure the security of the financial services industry.
The charges brought by DFS allege that First American Title Insurance Company (First American or Company) violated six provisions of the Cybersecurity Regulation, including among them a failure to: perform an adequate risk assessment; maintain proper access controls; provide adequate security training for employees; and encrypt certain nonpublic information. DFS alleges that each instance of Nonpublic Information (NPI) encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.
A hearing has been scheduled for October 26.
Charges Brought by DFS
DFS alleges that First American's public-facing website featured a vulnerability, from October 2014 through May 2019, that exposed hundreds of millions of documents, many of which contained consumers' bank account numbers, mortgage and tax records, Social Security Numbers, wire transaction receipts, and other personal information. According to DFS, “[b]y permitting a URL on its public website to be vulnerable to manual manipulation, or rewriting, [the Company] laid bare millions of personal data points of its customers from hundreds of First American consumer files for access without any login or authentication requirements.”
Among its charges, DFS alleges that First American failed to follow its own policies, “failed to heed advice proffered by its own in-house cybersecurity experts,” and neglected to conduct a security review and risk assessment of its vulnerability and network. According to DFS, the Company “grossly underestimated the level of risk” associated with the vulnerability and did not address or mitigate the vulnerability quickly enough after it was discovered in December 2018.
In its six separate charges, DFS alleges that:
The Company violated 23 NYCRR 500.02 which requires that each Covered Entity maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems. DFS states that First American failed to perform risk assessments for data stored or transmitted within its Information Systems, despite internal applications’ transmission and storage of NPI.
The Company violated 23 NYCRR 500.03, which requires that a Covered Entity maintain a written policy or policies, approved by a Senior Officer or the board of directors, setting forth the policies and procedures for the protection of its information systems and the NPI stored on those systems. The cybersecurity policy must be based on the entity’s Risk Assessment and address the following areas, among others: data governance and classification, access controls, and identity management. According to DFS, the Company “failed to maintain and implement data governance and classification policies for NPI suitable to its business model and associated risks … [and] did not maintain an appropriate, risk-based policy governing access controls ... These inadequate access controls failed to prevent the exposure of NPI in millions of documents.”
The Company violated 23 NYCRR 500.07, which requires that a Covered Entity “limit user access privileges to Information Systems that provide access to NPI and shall periodically review such access privileges.” The vulnerability at hand allowed “unauthorized remote users to gain access to NPI … [and] existed due to a lack of reasonable access controls.”
The Company violated 23 NYCRR 500.09(a), which requires each Covered Entity to conduct a periodic Risk Assessment of their Information Systems to inform the design of the cybersecurity program. The Risk Assessment “shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the Covered Entity’s business operations …” Based on the charges brought by DFS, the Company “[failed] to identify where NPI was stored and transmitted through its Information Systems, but also [failed] to identify the availability and effectiveness of controls to protect NPI and Information Systems.”
The Company violated 23 NYCRR 500.14(b), which requires Covered Entities to provide regular cybersecurity awareness training for all personnel, and such training must be updated to reflect risks identified by the Covered Entity in its Risk Assessment. DFS found that First American “did not provide adequate data security training for [its employees and affiliated title agents responsible for identifying and uploading sensitive documents into the [applicable data systems].”
The Company violated 23 NYCRR 500.15, which requires that Covered Entities implement controls, including encryption, to protect NPI held or transmitted by the Covered Entity both in transit over external networks and at rest. Compensating controls may be implemented if encryption is not feasible but must be reviewed by the CISO annually. First American, “failed to encrypt documents marked as sensitive within [its data] repository. Other documents that contained sensitive data but were erroneously not marked as sensitive—were not encrypted until mid-2019.”
What This Means for DFS-Regulated Entities
As underscored in its first enforcement action under the Cybersecurity Regulation, DFS will take actions against companies that it perceives have not appropriately protected or mitigated security vulnerabilities, or those that fail to implement appropriate internal risk-based policies and procedures.
A company’s cybersecurity practices and procedures will vary based on its unique operations, systems, and data. However, based on the first enforcement action under the Cybersecurity Regulation, companies subject to DFS jurisdiction should:
Prioritize and maintain a cybersecurity programs as part of their overall of enterprise risk management.
Obtain senior-level approval of risk-based cybersecurity policies and procedures, which outline how a company will protect their information systems and sensitive data on those systems, and the steps necessary to respond to and mitigate such risks and vulnerabilities.
Establish and maintain internal policies that limit the types of information and number of privileged or authorized users who have access to certain types of sensitive data or NPI.
Frequently perform internal risk assessments based on the type of data a company may possess or process—and update risk assessments based on the ever-evolving threat landscape and potential mitigations available.
Perform and maintain cybersecurity hygiene and awareness training for all personnel—including potentially for third parties with access to your networks—and update such training, as informed by regular risk assessments.
Encrypt, or implement appropriate controls, to protect sensitive data and NPI. If encryption is not feasible, implement alternative risk-based controls that have the approval and regular review from the CISO.
If a data exposure is discovered, act promptly and in accordance with internal cybersecurity policies and procedures to address vulnerabilities.
The DFS action underscores that regulators will look closely at how data exposures are mitigated and addressed, and understanding regulators’ expectations is critical in formulating an effective response.