First American fined $1M by NYDFS over 2019 cybersecurity breach
By Adrianne AppelWed, Nov 29, 2023 9:05 PM
A title insurance company agreed to pay a $1 million fine and implement stronger compliance measures for allegedly not securing customers’ personal data, particularly during a 2019 cybersecurity breach.
First American Title Insurance Company, the second largest title insurer in the nation, did not address a known vulnerability on its proprietary storage platform, EaglePro, before the issue was exposed by a cybersecurity journalist months later, according to the New York State Department of Financial Services (NYDFS). The regulator announced the action Tuesday.
The details: Under the NYDFS’s 2017 Cybersecurity Regulation, First American was required to have controls in place to secure its customer data.
In December 2018, the company learned of a vulnerability in its EaglePro platform and did not adequately address it, according to the regulator’s consent order.
In May 2019, a journalist contacted First American and claimed EaglePro had a vulnerability that allowed him to easily view any Social Security numbers, bank information, and other private information contained in 885 million customer documents.
First American shut down the platform and notified the NYDFS of the vulnerability, according to the consent order. The company alerted customers and offered complimentary credit monitoring.
Following an NYDFS investigation, it alleged First American violated the Cybersecurity Regulation by failing to implement and maintain effective governance and classification, access controls and identity management, and risk assessment policies and procedures.
Compliance considerations: “Though First American had many cybersecurity policies and procedures in place, it failed to ensure their full and complete implementation,” the NYDFS said in its order.
After the breach, First American remediated the issues that led to the apparent failures and enhanced its cybersecurity program, the regulator noted.
In June 2021, First American agreed to pay nearly $500,000 as part of a settlement with the Securities and Exchange Commission related to the incident.
Company response: “We’re pleased that this matter has been resolved,” said First American in an emailed statement. “First American remains committed to supporting our customers in the secure and efficient transfer of real estate in New York.”