NYDFS’ First Cybersecurity Suit Could be a Precursor for Future Privacy Enforcement Actions

September 8, 2020 Published Article

The stringent requirements of the California Consumer Privacy Act (“CCPA”) and the new California Privacy Rights Act (“CPRA”) initiative (which will appear on the November 2020 ballot) make it more crucial than ever to protect businesses from data breaches in California.  Companies must protect sensitive information collected from consumers in order to decrease the likelihood of a data breach.  Although filed in New York, the recent lawsuit against First American Title Insurance Company (“First American”) for a massive data breach serves as a cautionary tale to all organizations of the risks that accompany a lack of proper security measures for the protection of sensitive information.  Companies that fail to enact such protocols may be in danger of similar consequences after a security breach.

What Happened with First American?

On July 22, 2020, the New York Department of Financial Services (“NYDFS”) filed suit against First American, alleging that First American exposed approximately 885 million documents with sensitive information over the course of multiple years due to flaws in First American’s document-management system, which did not contain proper security or protection measures.  These documents included bank account numbers, Social Security numbers, mortgage records, and various other sources of identifying information.  After discovering these security weaknesses in December 2018, First American did not remedy these weaknesses.  Because of this security breach, the NYDFS may penalize First American for up to $1,000 per instance of exposed personal information. 

Why Does This Matter?

This is the first cybersecurity enforcement action brought by the NYDFS under New York’s Cybersecurity Regulation, which came into effect in March 2017 and requires that various entities comply with cybersecurity protections.  The NYDFS Cybersecurity Regulation and CCPA both contain stringent security requirements for organizations, including a requirement that organizations protect against potential cybersecurity threats by establishing a proper infrastructure.  As a result, the commencement of this action could be a precursor for similar actions brought under the CCPA.  The action taken against First American illustrates the importance of regularly reviewing your organization’s cybersecurity measures to ensure compliance with applicable laws, including the CCPA.

What Should My Company Do?

If your entity collects information from consumers in a manner that requires compliance with the CCPA, it is more important than ever to ensure that your company is compliant with the CCPA’s requirements.  Companies should:

  • Conduct regular risk assessments to identify security weaknesses in their programs;
  • Ensure that they have proper network security measures in place to protect sensitive information, including placing protocols for accessing and using sensitive information; and
  • Establish a culture of cyber-risk awareness to decrease the likelihood of future breaches.

To assist companies in forming a compliance plan for privacy legislation, Newmeyer Dillion has created a California Consumer Privacy Act compliance program, where our team will collaborate with you to determine a scalable, practical, and reasonable way to meet your needs.  We also have a vast network of technical experts who can assist your company in achieving appropriate cybersecurity protection.