A. New York Cybersecurity Regulation
On March 1, 2017, 23 NYCRR 500[1] became effective. The New York Cybersecurity Regulation applies to anyone “operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under” the banking law, insurance law, or financial services law of the State of New York. However, for certain small organizations, they are exempt.[2] Until last summer, no known enforcement action had been initiated by New York pursuant to 23 NYCRR 500. That all changed on July 21, 2020, when the New York Department of Financial Services (“NYDFS”) filed an action against First American Title Insurance Company and then amended the same[3].
According to the statement of charges: “From at least October 2014 through May 2019, due to a known vulnerability on Respondent’s public-facing website (the “Vulnerability”), these records were available to anyone with a web browser.” The records included “bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images.”[4] The charges allege that even after learning of the Vulnerability in 2018, First American did not remediate it for a period of time. The charges refer to journalist Brian Krebs report that First American “had exposed 885 million documents — dating as far back as 2003 and many containing NPI — by rendering the documents openly accessible to the public.”[5]
After setting out the facts in detail, the NYDFS charged First American with violations of: 1) 23 NYCRR 500.02 (maintenance of cybersecurity program), 2) 23 NYCRR 500.03 (written policy or policies), 3) 23 NYCRR 500.07 (limit user access privileges), 4) 23 NYCRR 500.09 (periodic risk assessment), 5) 23 NYCRR 500.14(b) (cybersecurity awareness training), and 6) 23 NYCRR 500.15 (implantation of controls, including encryption).
NYDFS’ regulated entities, and insurers in other jurisdictions which have enacted versions of the NAIC cybersecurity model law, will watch this action closely. The NYDFS often has been a leader in the development and enforcement of laws that have spread to other states. Businesses who fall under the oversight of the NYDFS should review their cyber policies and practices to ensure they are in good shape in light of the regulations that have been in place for more than three years and have begun to be enforced by the NYDFS.
While the First American action is the first action against an insurer for alleged violations of 23 NYCRR 500, it was not the first action. In March 2021, the NYDFS entered into a consent order[6] with Residential Mortgage Services, Inc., a mortgage banker and mortgage servicer licensed in New York. The NYDFS, unlike most departments of insurance, regulates a variety of other financial services companies.[7]