First American Title Charged Over Cybersecurity Lapses

The NY State Department of Financial Services said the real-estate title insurer exposed millions of documents containing personal information.

The New York State Department of Financial Services has filed administrative charges against First American Title Insurance Company, alleging the real-estate title insurer failed to secure tens of millions of documents containing sensitive personal information of consumers.

In a statement of charges, the New York regulator said that from at least October 2014 through May 2019 the sensitive documents were available “to anyone with a web browser.”

The allegations are the first brought under New York cybersecurity regulations that went into effect in 2017.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

In May 2019, Krebs on Security reported that First American leaked digitized records, including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images.

NYDFS said the leak continued for six months after it was widely publicized.

“For more than four years, First American Title Insurance Company exposed tens of millions of documents …,” the regulator said.

First American said its primary regulator, the Nebraska Department of Insurance, ruled its response to the breach was sufficient in June 2019.

“First American strongly disagrees with the New York Department of Financial Services’ charges,” the company said in a statement. ”As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose nonpublic personal information likely was accessed without authorization and otherwise found no evidence of misuse of any nonpublic personal information. None of these identified consumers were New York residents.”

The company said it would “vigorously defend” itself against “unreasonable charges.”

Lisa Sotto, chair of the global privacy and cybersecurity practice of Hunton Andrews Kurth in New York said companies should expect more actions. “Surprisingly, it’s taken this long for DFS to publicly flog a company that it considered to be non-compliant,” she said.

A hearing is scheduled for October 26.

4 Powerful Communication Strategies for Your Next Board Meeting