DFS Flexes Its Cybersecurity Muscles

Few regulatory initiatives in New York State created as much agita for state licensed and chartered institutions as New York’s Department Of Financial Services’ (DFS) Part 23 NYCRR 500 Cybersecurity Regulation.  The regulation mandates that regulated entities have a robust cybersecurity framework coupled with stiff penalties for violations.

Yesterday, the Department demonstrated just how serious it is about enforcing these regulations. It announced that it was bringing charges against First American Title Insurance Company for its alleged violations of these regulations following discovery of a massive data breach.  First American has indicated that it will fight these charges giving the rest of us an armchair view of litigation which could shape how aggressively states like New York and California will be able to enforce cybersecurity protections in the absence of Federal preemption.

I’ve been surprised by the lack of attention the breach of First American Title’s databases has received.  In May 2019 the KrebsOnSecurity blog broke the news that the California based Fortune 500 Company, which provides title insurance and closing services, could be compromised by anyone who knew the company URL for a valid document at its web site.  They could view other documents just by modifying a single digit in the link.  Considering the amount of non-public personally identifiable information available on the website, this is troubling news for tens of millions of Americans who had a real estate transaction involving the company as far back as 2003.

The specific allegations should be read by your Chief Information Security Officer.  The major thrust of DFS’ complaint is that its staff did not recognize the seriousness of the vulnerability or take prompt action to solve the problem once it was discovered.

The regulatory action also underscores one of the key differences between a company’s obligations under these regulations and its legal liability under a lawsuit brought by impacted consumers.  It’s much easier for regulators to successfully sue a company under New York’s regulations because New York does not have to prove that the breach harmed specific individuals.

TILA Compliance Thresholds Adjusted  

It’s that time of year again. In case you missed it, I did, on July 17^th the CFPB issued its annual inflation-adjusted thresholds for compliance with various requirements mandated by Regulation Z and the Truth In Lending Act (TILA).  These changes take effect in 2021.

On that note, enjoy watching the Yankee game tonight. Although everyone is making a bid deal about playing in empty stadiums, as a life-long Islander fan who went to hundreds of games over a 20 year period when the team was so bad that the Nassau Coliseum was dubbed “the Nassau Mausoleum”, I’m kind of use to watching games with no one around.  These are strange times we’re living in.