Listen to this post

On November 28, 2023, the New York Department of Financial Services (“NYDFS”) announced that First American Title Insurance Company (“First American”), the second-largest title insurance company in the United States, would pay a $1 million penalty for violations of the NYDFS Cybersecurity Regulation in connection with a 2019 data breach. The NYDFS investigated the company’s response to the data breach and alleged that First American knew of a vulnerability in its technical systems that exposed consumers’ non-public information, but failed to investigate or report the vulnerability until several months later. The NYDFS concluded in its consent order with First American that the company violated the NYDFS Cybersecurity Regulation by failing to maintain and implement effective governance and classification, access controls and identity management, and risk assessment policies and procedures, which resulted in unauthorized access to consumers’ non-public information.