Printed from BusinessInsurance.com

Fund’s cybersecurity suit against title insurer dismissed

Posted On: Sep. 28, 2021 2:12 PM CST

cybersecurity

A federal district court has dismissed a cybersecurity lawsuit filed by a pension fund against a title insurance company that had earlier reached a settlement with the U.S. Securities and Exchange Commission in the matter.

The U.S. District Court in Los Angeles last week agreed to dismiss the lawsuit filed by the St. Lucie, Florida-based St. Lucie County Fire District Firefighters Pension Trust Fund against Santa Ana, California-based First American Financial Corp., which charged the title insurer with misrepresenting its security practices and controls to investors, according to the ruling in In re First American Financial Corp. Securities Litigation.

Also named as defendants were the company’s CEO, chief financial officer and chief information security officer.

The ruling was first reported by the D&O Diary.                                                                                                

On June 15, without admitting or denying the SEC’s findings, First American agreed to pay a $487,616 penalty for allegedly failing to disclose a cybersecurity vulnerability.

Last Wednesday’s ruling states that a flaw in the system used by First American gave rise to a breach that led to the access of more than 350,000 documents without authorization, starting in June 2018 and continuing for 11 months.

The ruling by Judge Dale S. Fischer rejected the fund’s contention that First American had failed to implement basic security standards and disregarded its own information security policies.

That the board of directors may have known of existing vulnerabilities “does not support” that its disclosure statements were false or misleading, the ruling said.

The board’s generalized conversations about data security issues “do not establish that First American was aware of existing compromised data or support that the disclosure statements were specific enough to be contradicted by that general knowledge,” the ruling said.

The ruling says the court agrees with defendants that statements made about cyber security “are either untrue or unactionable puffery” and that the fund “has not identified any facts to support the allegation that Defendants’ statements about the Breach were false or misleading.”

In granting the motion to dismiss, the ruling said an amended complaint must be filed no later than Oct. 25.

Attorneys in the case did not respond to requests for comment.