DFS Flexes Its Cybersecurity Muscles

July 23, 2020 at 9:16 am Leave a comment

Few regulatory initiatives in New York State created as much agita for state licensed and chartered institutions as New York’s Department Of Financial Services’ (DFS) Part 23 NYCRR 500 Cybersecurity Regulation.  The regulation mandates that regulated entities have a robust cybersecurity framework coupled with stiff penalties for violations.

Yesterday, the Department demonstrated just how serious it is about enforcing these regulations. It announced that it was bringing charges against First American Title Insurance Company for its alleged violations of these regulations following discovery of a massive data breach.  First American has indicated that it will fight these charges giving the rest of us an armchair view of litigation which could shape how aggressively states like New York and California will be able to enforce cybersecurity protections in the absence of Federal preemption.

I’ve been surprised by the lack of attention the breach of First American Title’s databases has received.  In May 2019 the KrebsOnSecurity blog broke the news that the California based Fortune 500 Company, which provides title insurance and closing services, could be compromised by anyone who knew the company URL for a valid document at its web site.  They could view other documents just by modifying a single digit in the link.  Considering the amount of non-public personally identifiable information available on the website, this is troubling news for tens of millions of Americans who had a real estate transaction involving the company as far back as 2003.

The specific allegations should be read by your Chief Information Security Officer.  The major thrust of DFS’ complaint is that its staff did not recognize the seriousness of the vulnerability or take prompt action to solve the problem once it was discovered.

The regulatory action also underscores one of the key differences between a company’s obligations under these regulations and its legal liability under a lawsuit brought by impacted consumers.  It’s much easier for regulators to successfully sue a company under New York’s regulations because New York does not have to prove that the breach harmed specific individuals.

TILA Compliance Thresholds Adjusted  

It’s that time of year again. In case you missed it, I did, on July 17th the CFPB issued its annual inflation-adjusted thresholds for compliance with various requirements mandated by Regulation Z and the Truth In Lending Act (TILA).  These changes take effect in 2021.

On that note, enjoy watching the Yankee game tonight. Although everyone is making a bid deal about playing in empty stadiums, as a life-long Islander fan who went to hundreds of games over a 20 year period when the team was so bad that the Nassau Coliseum was dubbed “the Nassau Mausoleum”, I’m kind of use to watching games with no one around.  These are strange times we’re living in.

Entry filed under: Compliance, Mortgage Lending, New York State, Regulatory, technology. Tags: , , , , , , , , .

NLRB Gives Employers Greater Protection To Discipline Abusive Conduct Legislature Breaks for the Summer; NCUA Moves Closer to Getting More Money for the Industry

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 739 other followers

Archives