(Article from Insurance Law Alert, July/August 2020)
For more information, please visit the Insurance Law Alert Resource Center.
As discussed in our April 2019 and May 2018 Alerts, the New York Department of Financial Services enacted cybersecurity regulations applicable to entities subject to New York banking, insurance and financial services laws. The regulations impose certain minimum requirements for cybersecurity practices, including the maintenance of a cybersecurity program and response plan, the designation of a senior officer to oversee cybersecurity, routine risk assessment, notification of a security incident to the Department and annual compliance certification. See N.Y. Comp. R. & Regs. Tit. 23 § 500 (2017).
This month, the Department filed its first action under the regulations against First American Title Insurance Company, alleging failures relating to the company’s information systems which led to a data breach involving customers’ personal information. In the Matter of: First American Title Ins. Co., No. 2020-0030-C (N.Y. State Dep’t Fin. Servs. filed July 21, 2020). The filing alleges that from October 2014 through May 2019, customers’ bank account information, mortgage and tax records and social security numbers were available on the insurer’s public website due to a known vulnerability in its computer system. The Department claims that First American failed to conduct appropriate security reviews and risk assessments and misclassified the vulnerability as “low,” among other things. Although First American confirmed the breach, it has denied the charges. A hearing in this matter is scheduled for October 26, 2020.