On July 21, 2020, the New York State Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for breach of state cybersecurity regulations. Specifically, NYDFS alleges that First American exposed tens of millions of documents containing consumers’ sensitive personal information, including bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and drivers’ license images. The statement of charges against First American state that from October 2014 through May 2019, a vulnerability in First American’s website exposed customers’ personal data. The statement of charges also claim that First American failed to adequately remedy the vulnerability when it was eventually discovered.
First American is charged with violating multiple provisions under the NYDFS’s cybersecurity regulations. These regulations require regulated entities, like insurance providers, to establish and maintain an adequate cybersecurity program and procedures. First American is the first entity to be charged under these regulations, which came into effect in 2017.