• wblogo
  • wblogo
  • wblogo

NYDFS levies novel punishment for exposure of personal information

Chris Hamblin, Editor, London, 27 July 2020

articleimage

The New York Department of Financial Services has presented a statement of charges to a court against one of the firms that it regulates, alleging that it knowingly exposed hundreds of millions of documents to access by the public. These are the first charges that stem from its Cybersecurity Regulation.

First American Title Insurance Company, where the documents were kept, is one of the largest providers of title insurance in the United States, but its alleged shortcomings are of interest to wealth management firms as well.

The documents contained consumers’ sensitive personal information (which the NYDFS calls non-public information) including bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts and picutres from drivers’ licences. The Cybersecurity Regulation is to be found in Part 500 Title 23 of the New York Codes and accompanying rules and regulations.

In the statement of charges, the department alleges that a crack in the firm's information systems resulted in the exposure of personal information to "anyone with a web browser" over the course of several years after October 2014 and that it failed to remedy the exposure until May last year, long after it had discovered it in December 2018.

DFS alleges that First American consciously failed to follow its own cybersecurity policies, neglecting to conduct a security review and a risk assessment of the flawed computer programme and the sensitive data associated with the flaw.

First American allegedly misclassified the weakness in its systems as “low severity” despite the magnitude of the exposure, while also failing to investigate it within the timeframe dictated by its internal policies.

A penetration (or 'pen') test uncovered the exposure of data, but then the firm failed to conduct a reasonable investigation into its extent and cause, reviewing only ten of the millions of documents that were exposed. It also failed to follow the recommendations of its internal cybersecurity team to investigate further.

The DFS alleges that these errors, deficient controls, and other flaws in First American’s cybersecurity practices led to the data exposure persisting not only for years before December 2018 but also for months afterwards.  

The Cybersecurity Regulation

According to the statement of charges, First American broke six provisions of the Cybersecurity Regulation, which was passed pursuant to section 408 Financial Services Law. Any violation of s408 with respect to a financial product or service, which includes title insurance but also private banking, can lead to penalties of $1,000 per infraction if the regulator wants to set them that high. The NYDFS says that each instance of nonpublic information encompassed within the charges constitutes a separate infraction.

The hearing will be held at the office of the New York State Department of Financial Services at One State Street in New York, beginning on 26 October.

The Cybersecurity Regulation became effective in March 2017. It has served as a model for other regulators in other states. Last year Linda Lacewell, the superintendent who runs the NYDFS, created its Cybersecurity Division, a first of its kind for a financial regulator, placing it on equal footing with the Banking, Insurance, and Consumer Protection and Financial Enforcement Divisions.

Anatomy of a data disaster

The glitch was first introduced during an application software update in May 2014. In October, the firm updated its EaglePro system in a manner that made it effective. The firm's main depository of documents is known as FAST, which in 2018 contained 753 million documents, 65 million of which had been tagged by staff as containing non-public information. A random sampling of 1,000 documents that were not tagged showed that 30% of them also contained non-public information. EaglePro is a web-based title document delivery system that allows title agents to share any document in FAST with outside parties such as the parties to real-estate transactions. Title insurance policies insure the interests of owners or lenders against defects in the title to real property and make up 91% of the firm's business.

Why did the firm fail to close the gap when it became aware of it in the winter of 2018-19? The NYDFS lists seven factors.

  • It grossly underestimated the risk that the problem posed, partly because it classified it as "medium severity." Later on (as we shall see) this was downgraded to "low severity," a classification that calls for a remedy within a leisurely 90 days.
  • The firm failed to follow its own cyber-security policies.
  • It conducted an "unacceptably minimal" review of exposed documents, which closed its eyes to the seriousness of the gap in security. The ten documents that the cyber-defence team looked at contained no non-public information. The NYDFS is a trifle wide-eyed about this, imputing no conscious desire on the part of the firm to brush the problem under the carpet. It does, at least, refer to the review of only ten documents as "preposterously minimal."
  • The firm failed to heed advice proffered by its own cyber-security experts.
  • The director of the cyber-security team - the regulator does not say deliberately - inexplicably reclassifed the "medium severity" glitch as "low severity."
  • The firm failed to stick to its internal policies.
  • It commandeered an unqualified employee with little experience of data security to fix the problem. It never gave him a copy of the EaglePro "pen test" which described the problem.

On top of all this, EaglePro and FAST generally lacked adequate controls to protect non-public information in the regulator's eyes.

The value of journalism in compliance

On 24 May last year a journalist who reports on cybersecurity issues called Brian Krebs published an article that revealed that the firm had exposed 885 million documents — dating as far back as 2003 and many containing non-public information — by rendering the documents openly accessible to the public. Mr Krebs himself was easily able to view the data. In the days before he published his article, Mr Krebs and someone else - presumably his source, perhaps at First American but perhaps not - who had stumbled upon the problem repeatedly reached out to First American to alert it. Only after publication did the firm inform the NYDFS of the débâcle, as required by 23 NYCRR 500.17 (the New York Codes, Rules and Regulations - a book by the Government of New York).

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll