New York’s Department of Financial Services Initiates Its First Enforcement Action Under Its 2017 Cybersecurity Regulations
Following a publicized commitment to increased cybersecurity enforcement, the New York Department of Financial Services (“NYDFS”) initiated its first enforcement action against First American Title Insurance Co. (“First American”) on July 22, 2020. Stemming from First American’s alleged failure to adequately safeguard highly confidential, personal consumer information – including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images – this action is the first of its kind brought under NYDFS’s expansive Cybersecurity Regulations (the “Regulations”). The Regulations took effect on March 1, 2017 and established strict cybersecurity requirements for financial services companies licensed to operate under New York’s Banking Law, Insurance Law or Financial Services Law (a “covered entity”).
Among other requirements, the Regulations require a covered entity to:
- Implement and maintain cybersecurity policies and procedures that address consumer data privacy and other consumer protection issues with effective controls, secure access privileges, and thorough and regular cybersecurity risk assessments.
- Provide comprehensive training and monitoring for all personnel, including corporate governance procedures that ensure senior management is involved in and responsible for the entity’s cybersecurity and data protection program.
