Cloud Defense Logo

Products

Solutions

Company

Breach
2019
DFS Announces $1 Million Cybersecurity Settlement With First American Title Insurance Company

DFS Announces $1 Million Cybersecurity Settlement With First American Title Insurance Company

Table of Contents

Incident Details

The New York State Department of Financial Services (DFS) made an announcement today stating that First American Title Insurance Company (First American) has agreed to pay a $1 million penalty to the state of New York for breaching DFS’s Cybersecurity Regulation (23 NYCRR Part 500) due to a significant cybersecurity incident in May 2019. This breach led to the exposure of private information of consumers. Besides the monetary penalty, the company has committed to implementing substantial corrective actions to enhance the security of consumer data. First American, being the nation's second-largest title insurance provider, annually gathers personal and financial information of hundreds of thousands of individuals via title-related documents and stores this data in its exclusive EaglePro software. In May 2019, the senior management of First American became aware of a vulnerability in the EaglePro application that permitted anyone with the access link to view not only their personal documents but also those of individuals in unrelated transactions without proper authentication. Upon investigation, DFS found that First American did not comply with the Cybersecurity Regulation, as the company neglected to establish and enforce adequate governance and classification, access controls, identity management, and risk assessment policies and procedures. Consequently, EaglePro lacked robust access controls to prevent unauthorized users from reaching consumers' private data. The DFS Cybersecurity Regulation, enforced since March 2017, has been viewed as a standard by various regulators, such as the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners (NAIC), and the CSBS Nonbank Model Data Security Law. In November of the current year, DFS Superintendent Adrienne A. Harris, following discussions with industry stakeholders, introduced revisions to the Cybersecurity Regulation to fortify cyber governance, decrease risks, and boost protections for New York businesses and consumers against cyber threats.

Incident

How Did the Breach Happen?

In May 2019, there was a significant cybersecurity incident at First American Title Insurance Company, which stemmed from a security flaw in their EaglePro application. This flaw permitted unauthorized individuals to retrieve personal and financial information from individuals involved in transactions not related to each other.

What Data has been Compromised?

The leakage disclosed private information of consumers, encompassing personal and financial details gathered by First American Title Insurance Company from documents related to titles.

Why Did the company's Security Measures Fail?

The First American Title Insurance Company did not uphold the necessary standards for governance, access controls, identity management, and risk assessment, as mandated by the Department of Financial Services' Cybersecurity Regulation. Consequently, the EaglePro application of the company did not have robust enough access controls in place to thwart unauthorized entry to private information of consumers.

What Immediate Impact Did the Breach Have on the company?

Due to the security breach, the New York State Department of Financial Services has imposed a $1 million fine on First American Title Insurance Company. Additionally, the company has consented to implementing substantial corrective actions to enhance the protection of consumer information.

How could this have been prevented?

Had First American Title Insurance Company ensured proper governance and classification, access controls, identity management, and risk assessment policies and procedures in line with the Department of Financial Services' Cybersecurity Regulation, the breach could have been avoided.

What have we learned from this data breach?

The incident of data compromise underlines the significance of upholding strong cybersecurity practices, such as efficient management and categorization, restriction of access, verification of identity, and the implementation of policies and procedures for evaluating risks, in order to safeguard consumer information from unauthorized entry.

Summary of Coverage

First American Title Insurance Company has consented to a settlement of a $1 million fine to the New York State Department of Financial Services following a significant cybersecurity incident that compromised private information of customers. The breach occurred due to the company's inadequate cybersecurity protocols, which are mandated by the Department's Cybersecurity Regulation. Additionally, the company has committed to enforcing substantial corrective actions to enhance the protection of customer data.

Is your System Free of Underlying Vulnerabilities?
Find Out Now