DFS Announces $1 Million Cybersecurity Settlement With First American Title Insurance Company

The New York State Department of Financial Services (DFS) made an announcement today stating that First American Title Insurance Company (First American) has agreed to pay a $1 million penalty to the state of New York for breaching DFS’s Cybersecurity Regulation (23 NYCRR Part 500) due to a significant cybersecurity incident in May 2019. This breach led to the exposure of private information of consumers. Besides the monetary penalty, the company has committed to implementing substantial corrective actions to enhance the security of consumer data. First American, being the nation's second-largest title insurance provider, annually gathers personal and financial information of hundreds of thousands of individuals via title-related documents and stores this data in its exclusive EaglePro software. In May 2019, the senior management of First American became aware of a vulnerability in the EaglePro application that permitted anyone with the access link to view not only their personal documents but also those of individuals in unrelated transactions without proper authentication. Upon investigation, DFS found that First American did not comply with the Cybersecurity Regulation, as the company neglected to establish and enforce adequate governance and classification, access controls, identity management, and risk assessment policies and procedures. Consequently, EaglePro lacked robust access controls to prevent unauthorized users from reaching consumers' private data. The DFS Cybersecurity Regulation, enforced since March 2017, has been viewed as a standard by various regulators, such as the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners (NAIC), and the CSBS Nonbank Model Data Security Law. In November of the current year, DFS Superintendent Adrienne A. Harris, following discussions with industry stakeholders, introduced revisions to the Cybersecurity Regulation to fortify cyber governance, decrease risks, and boost protections for New York businesses and consumers against cyber threats.

First American Title Insurance Company has consented to a settlement of a $1 million fine to the New York State Department of Financial Services following a significant cybersecurity incident that compromised private information of customers. The breach occurred due to the company's inadequate cybersecurity protocols, which are mandated by the Department's Cybersecurity Regulation. Additionally, the company has committed to enforcing substantial corrective actions to enhance the protection of customer data.