First American Financial Corporation (“First American”), one of the largest issuers of title insurance in the United States, has reported a potential breach of personal and financial information. First American comprises various subsidiaries and affiliates as well as maintaining a large network of title agents with multiple systems throughout the nation. The New York Times reported on May 29, 2019, that an estimated 885 million records may have been breached.
This security breach not only has the potential to be one of the largest data breaches in US history, but very likely exposes very sensitive consumer data. New York’s financial regulator, the Department of Financial Services, has commenced an inquiry “into a security failure that exposed 16 years of digital documents containing bank account statements, tax records, Social Security Numbers, wire transaction receipts, and images from drivers’ licenses.”
First American issues title insurance and provides settlement services for sales and refinances of property of all types, including individual residences. These transactions involve exchanges of highly personal information and extensive financial records of the parties, which raises significant concerns for personal consumer identity theft. KrebsonSecurity, a cybersecurity watchdog website, reported recently that the documents in question had been left unprotected on a website, “available to anyone with a Web browser,” without the need for authentication. Modifying even a single digit in the link for a valid document, Krebs noted, could expose the information of unrelated individuals.
First American issued a statement on May 28 indicating that although it had shut down access to the website, the data had already been exposed for quite some length of time. And, as The Times reported, “First American would have no way of knowing when and how the data was viewed.”
On May 28, The New York Department of Financial Services, which six days earlier had issued a press release announcing the appointment of the Executive Deputy Superintendent of its Cybersecurity Division, sent a letter to First American asking how and when the security deficiency was discovered, what steps had been taken to remediate it, and how many people were involved. The Department of Financial Services is responsible for enforcement of cybersecurity regulations pursuant to 23 NYCRR Part 500, which are among the strictest and most prescriptive in the nation.
We have written that real estate is an increasingly enticing industry for cyber criminals, given the detail and specificity of personal and financial information held by title insurers, brokers, property managers, and property developers. In 2018, the real estate industry ranked second in cyber-crime, ahead of pharmaceutical, engineering, and manufacturing. Those organizations that are lax about security safeguards will increasingly be a target for cyber criminals, regulators, and litigators, to their financial and competitive disadvantage. We are seeing an increase in client requests to consult with them on the necessary policies and procedures, as well as to coordinate with the necessary IT professionals, so that they can remain compliant with regulations and best practices, thereby protecting their businesses and clients from these rapidly changing and sophisticated risks.
If you have questions or require assistance in cybersecurity compliance for your real estate organization, please contact Kenneth N. Rashbaum.