After several years of anticipation, the New York State Department of Financial Services (DFS) has filed its first enforcement action under the agency’s groundbreaking and first-in-the-nation 2017 cybersecurity regulation (Part 500 of Title 23 of the New York Codes, Rules, and Regulations), which prescribes how financial services companies licensed to operate in New York should construct their cybersecurity programs. This action is a wakeup call to covered entities to fully implement the directives of Part 500.
A statement of charges was announced on July 21, 2020 against a large real estate title insurer alleging that a design defect in a data management computer program resulted in the exposure over the course of several years of hundreds of millions of documents—millions of which contained sensitive personal information of consumers, including bank account information, mortgage and tax records, Social Security Numbers, wire transaction receipts, and drivers’ license images.
According to the charges, the company discovered the vulnerability and exposure as a result of penetration testing it conducted in 2018, but then failed on multiple levels to remedy the exposure…
