Cyber(in)security: New York Levies Fine for Failure to Implement Written Policies
By Palmina Fava, Briana Falcon, and Josh Hasler
On November 27, 2023, the New York State Department of Financial Services (“DFS”) and First American Title Insurance Company (“First American”) entered into a consent order1 that resolved litigation over First American’s cybersecurity practices. Though the associated fine ($1 million) was relatively small, the order serves as a reminder to all organizations that simply having cybersecurity policies and procedures in place is insufficient when they are not in fact implemented.
Legal Background
Among other things, DFS cybersecurity regulations require DFS-regulated entities (“Covered Entities”), such as First American, to design a cybersecurity program that protects the confidentiality and integrity of information systems and the nonpublic information they contain.2 Covered Entities periodically must perform risk assessments and update their cybersecurity programs as necessary to address changes to the Covered Entities’ risks, information systems, nonpublic information, or business operations.3 In addition to other factors, Covered Entities’ cybersecurity policies must address data governance and classification, access controls and identity management, systems and network security, and risk assessment.4
According to the consent order, First American failed to (1) adequately maintain and implement an effective cybersecurity policy related to access controls and based on its risk assessment and (2) implement access controls sufficient to prevent unauthorized users from gaining access to nonpublic information through its proprietary EaglePro application. According to the consent order, both failures violated Sections 500.3 and 500.7 of New York’s cybersecurity regulations.5
The EaglePro Issue
First American collects documents from parties to real estate transactions, some of which contain nonpublic information. When a document is uploaded to First American’s image repository, it is assigned a document ID number, and the individual uploading the document is supposed to code whether the document contains nonpublic information. First American’s EaglePro application facilitated the sharing of these documents via hyperlink. Although First American instructed users not to transmit documents containing nonpublic information through its EaglePro hyperlinks, there were no controls in place to prevent users from doing so.
A 2018 internal vulnerability test and a 2019 report by a cybersecurity journalist revealed that users with access to one hyperlink could access documents other than those shared with them by simply replacing the document ID number in the URL. The journalist alleged he was personally able to view consumer nonpublic information and that 885 million documents, some of which dated as far back as 2003, were exposed to the public.
Although First American had many cybersecurity policies and procedures in place, First American “failed to ensure their full and complete implementation.”6 Moreover, a self-conducted risk assessment incorrectly classified EaglePro as an application that did not contain nonpublic information, as the journalist’s test demonstrated. The vulnerability in the EaglePro application allowed users to access documents containing nonpublic information which constituted a failure to “implement an appropriate, risk-based policy governing access controls for EaglePro.”7
Lessons Learned
Other organizations should take note of this incident and ensure their cybersecurity policies and procedures are fully and effectively implemented. Further, while it is prudent to conduct regular vulnerability testing, those tests are of little use if the vulnerabilities identified are not promptly addressed.
These concerns are not limited to companies covered by the New York cybersecurity regulations. Other laws — the Federal Trade Commission Act, the Sarbanes-Oxley Act, SEC Regulation S-P, the Gramm-Leach-Bliley Act, and others — impose parallel cybersecurity requirements. In addition, public companies should take steps to ensure that newly required cybersecurity disclosures accurately reflect current practice.
Vinson & Elkins helps companies navigate these complex issues through all stages of risk assessment, cybersecurity policy development and implementation, incident response, and resulting litigation.
1 Consent Order, In re First American Title Insurance Company (N.Y. State Dept. of Fin. Servs. Nov. 27, 2023), https://www.dfs.ny.gov/system/files/documents/2023/11/ea20231128_first_american_4.pdf.
2 See 23 NYCRR §§ 500.1(c), (e), (g), (k), 500.2(b).
3 Id. §§ 500.2(b), 500.3, 500.9(a).
4 Id. § 500.3(b), (d), (g), (m).
5 See id. §§ 500.3(b), (d), (m), 500.7.
6 Consent Order ¶ 26.
7 Id.
Related Insights
- CLE EventWebcastDecember 5, 2024CLE Credit
- Event RecapSeptember 4, 2024Video
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.