Title Insurance Company fined $1M by NYDFS over 2019 cybersecurity breach
Facebook
Twitter
LinkedIn
First American fined $1M by NYDFS over 2019 cybersecurity breach.

A title insurance company has agreed to pay a $1 million fine and enhance compliance measures following allegations of inadequate protection of customers’ personal data, particularly during a cybersecurity breach in 2019.

First American Title Insurance Company, the nation’s second-largest title insurer, reportedly failed to address a known vulnerability on its proprietary storage platform, EaglePro, before a cybersecurity journalist uncovered the issue months later, as per the New York State Department of Financial Services (NYDFS).

 

Here’s a closer look at the situation:
  • Under the NYDFS’s 2017 Cybersecurity Regulation, First American was mandated to have safeguards in place to protect customer data.
  • In December 2018, First American was made aware of a vulnerability in its EaglePro platform but did not sufficiently resolve it, according to the regulator’s consent order.
  • In May 2019, a journalist notified First American of a vulnerability in EaglePro that allowed access to Social Security numbers, bank details, and other sensitive information from 885 million customer documents.
  • First American took action by shutting down the platform, informing NYDFS of the vulnerability, notifying customers, and providing complimentary credit monitoring.
 

Following an investigation by NYDFS, it was alleged that First American breached the Cybersecurity Regulation by failing to implement and uphold effective governance, access controls, identity management, and risk assessment policies and procedures.

 

Compliance considerations:

“Though First American had numerous cybersecurity policies and procedures, it fell short in ensuring their complete and thorough implementation,” stated NYDFS in its order.

Post-breach, First American addressed the issues that led to the breaches and bolstered its cybersecurity program, as acknowledged by the regulator.

In June 2021, First American settled with the Securities and Exchange Commission by agreeing to pay close to $500,000 in connection to the incident.

 

Company response:

“We’re pleased that this matter has been resolved,” stated First American in an email. “First American is dedicated to assisting our customers in facilitating secure and smooth real estate transfers in New York.”

 

What have we learned from this cybersecurity breach

The incident involving First American Title Insurance Company and its cybersecurity breach in 2019 highlighted the importance of safeguarding customer data. The company’s agreement to pay a $1 million fine and enhance compliance measures underscored the need for stringent cybersecurity protocols.

The failure to address a known vulnerability on the EaglePro platform brought attention to the gaps in data protection. Despite having cybersecurity policies in place, First American’s incomplete implementation led to the breach. The subsequent actions taken by the company, such as shutting down the platform, notifying authorities and customers, and providing credit monitoring, demonstrated a commitment to rectifying the situation.

The investigation by the New York State Department of Financial Services revealed lapses in governance, access controls, and risk assessment policies at First American. However, the company’s efforts post-breach to strengthen its cybersecurity program were recognized by regulators.

The settlement with the Securities and Exchange Commission in June 2021 further emphasized the importance of proactive cybersecurity measures. First American’s dedication to ensuring secure real estate transfers and assisting customers points towards a renewed focus on data protection and compliance in the future.

 

Nine Ways to help keep your business secure from a data breach. 
  1. 1. Risk Assessment: Start by identifying the potential cybersecurity risks to your business. This could include threats such as malware, phishing attacks, insider threats, or even physical breaches. Understand the potential impact of these risks on your business operations and data.

  2. 2. Create a Cybersecurity Policy: Develop a comprehensive cybersecurity policy that outlines your organization’s approach to security. This policy should include guidelines for data handling, password management, employee training, incident response procedures, and compliance requirements.

  3. 3. Employee Training: Educate your employees about cybersecurity best practices. This includes training on how to identify phishing emails, the importance of strong passwords, and how to handle sensitive information securely. Regular training sessions and updates on emerging threats are essential.


  4. 4. Implement Strong Authentication: Enforce strong authentication methods such as multi-factor authentication (MFA) for accessing sensitive systems and data. This adds an extra layer of security beyond just passwords, making it harder for unauthorized users to gain access.
  5.  
  6. 5. Keep Systems Updated: Regularly update your software, operating systems, and applications to patch known vulnerabilities. Hackers often exploit outdated software to gain access to systems, so staying up-to-date with patches is crucial.

  7. 6. Use Firewall and Antivirus Software: Install and regularly update firewall and antivirus software on all devices connected to your network. These tools help detect and prevent unauthorized access and malicious software from compromising your systems.

  8. 7. Encrypt Data: Encrypt sensitive data both at rest and in transit. Encryption converts data into a format that can only be read with the correct encryption key, adding an extra layer of protection against unauthorized access.


  9. 8. Backup Data Regularly: Implement a regular backup strategy for your business data. This ensures that even if your systems are compromised, you can restore your data from backups without significant loss.
  10.  

  11. 9. Cyber Insurance: Consider investing in cyber insurance to help mitigate the financial impact of a cybersecurity breach. Cyber insurance can cover costs related to data recovery, legal fees, and reputational damage.


First American fined $1M by NYDFS over 2019 cybersecurity breach | News Brief | Compliance Week

Leave a Reply

OFFICES

JND Consulting Group
Office:
BOCA RATON

PALM BEACH GARDENS

FORT LAUDERDALE

ATLANTA

1.888.288.3007

Get a Free, Instant Quote!

One of our IT Specialists will reach out to you shortly.