Press Release November 28 2023 DFS Announces 1 Million Cybersecurity Settlement With First American Title Insurance Company Department of Financial Services

pPress ReleaseppNovember 28 2023ppppppThe New York State Department of Financial Services DFS today announced that First American Title Insurance Company First American will pay a 1 million penalty to New York State for violations of DFSs Cybersecurity Regulation 23 NYCRR Part 500 stemming from a largescale cybersecurity breach in May 2019 The breach contributed to the exposure of consumers nonpublic information In addition to penalties the company has agreed to implement significant remedial measures to better secure consumer datappppAs the nations secondlargest title insurance company First American collects the personal and financial data of hundreds of thousands of individuals annually on titlerelated documents and stores that information in its proprietary EaglePro application In May 2019 First American senior management learned of a vulnerability in the application whereby any individual in possession of the link used to access EaglePro could access not only their own documents without authentication but also those of individuals in unrelated transactionsppppDFSs investigation found that in violation of the Departments Cybersecurity Regulation First American failed to maintain and implement effective governance and classification access controls and identity management and risk assessment policies and procedures As a result EaglePro lacked sufficient access controls designed to prevent unauthorized users from gaining access to consumers nonpublic informationppppDFSs Cybersecurity Regulation became effective in March 2017 and it has served as a model for other regulators including the US Federal Trade Commission multiple states the National Association of Insurance Commissioners NAIC and the CSBS Nonbank Model Data Security Law In November of this year after consultation with industry stakeholders DFS Superintendent Adrienne A Harris adopted amendments to the Cybersecurity Regulation designed to enhance cyber governance mitigate risks and strengthen protections for New York businesses and consumers against cyber threats ppTo review the First American consent order visit the DFS websiteppppThis page is available in other languagesp