Title Insurer to Pay New York $1 Million Penalty Over 2019 Data Breach

The New York State Department of Financial Services (DFS) announced that First American Title Insurance Co. will pay a $1 million penalty to New York State for violations of DFS’s cybersecurity regulation stemming from a large-scale cybersecurity breach in May 2019.

The breach contributed to the exposure of consumers’ nonpublic information. In addition to penalties, the company has agreed to implement remedial measures to better secure consumer data under the consent order.

First American collects the personal and financial data of individuals on title-related documents and stores that information in its proprietary EaglePro application. In May 2019, First American senior management learned of a vulnerability in the application whereby any individual in possession of the link used to access EaglePro could access not only their own documents without authentication, but also those of individuals in unrelated transactions.

DFS’s investigation found that, in violation of the department’s cybersecurity regulation, First American failed to maintain and implement effective governance and classification, access controls and identity management, and risk assessment policies and procedures. As a result, EaglePro lacked sufficient access controls designed to prevent unauthorized users from gaining access to consumers non-public information.

DFS acknowledged the insurer’s cooperation with the investigation and implementation of remedial measures.

The DFS cybersecurity regulation became effective in March 2017. In November of this year, DFS adopted amendments to the regulation designed to enhance cyber governance, mitigate risks, and strengthen protections for New York businesses and consumers against cyber threats.

Topics Cyber Carriers New York Data Driven