Printed from BusinessInsurance.com

New York charges title insurer with cybersecurity violation

Posted On: Jul. 24, 2020 1:13 PM CST

hacked

A title insurance company has become the first insurer to be charged with violating the New York State Department of Financial Services’ 2017 cybersecurity regulation.

DFS on Tuesday charged First American Title Insurance Co. with exposing millions of documents that contained consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts and driver’s license images.

Santa Ana, California-based First American, one of the largest providers of title insurance in the United States, wrote more than 50,000 policies in New York State in 2019, DFS said in a statement.

The agency said a vulnerability in the insurer’s information systems resulted in exposure of consumers’ sensitive personal information over the course of several years and that First American failed to remedy the exposure promptly after it was discovered in December 2018.

New York law provides for penalties of up to $1,000 per violation, according to DFS.

A hearing on the charges is scheduled for Oct. 26.

First American issued a statement saying it “strongly disagrees” with the charges “relating to a limited cybersecurity incident from May 2019.

“As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose non-public personal information likely was accessed without authorization and otherwise found no evidence of misuse of any non-public personal information. None of these identified consumers were New York residents.”

 The statement added, “At First American, security, privacy and confidentiality are of the highest priority, and we intend to vigorously defend ourselves against the Department’s unreasonable charges.”

The cybersecurity regulation, which became effective in March 2017, requires insurers and other financial institutions to put in place controls to ensure a robust cybersecurity program.