First American Title data-breach case in New York shows broad role of state enforcers in absence of US data-protection law

24 Jul 2020 3:00 pm by Mike Swift

red card

The New York state Department of Financial Services notched a milestone when it filed its first data security enforcement action, alleging a California real estate title insurance firm exposed millions of consumer documents with sensitive personal information on its website.

First American Title Insurance, a California company, failed to fix a known vulnerability in its website that the DFS says allowed anyone to manually edit the URL of the company’s website to get access to hundreds of millions of sensitive consumer documents, many of which contained Social Security numbers, bank account numbers and other sensitive personal information.

“The Vulnerability thus led to exposure of a staggering volume of personal and financially sensitive documents, any number of which could be used by fraudsters to engage in identity theft and even outright theft of assets. Moreover, such theft could occur without individuals knowing their information had been stolen from Respondent,” the DFS said in a complaint filed Wednesday.

Notably, none of the consumers identified in First American’s internal investigation of the breach were residents of New York state; all of them lived elsewhere in the US, First American told MLex in a written statement in which the company also said it “strongly disagrees” with the DFS allegations.

The milestone first filing of a statement of charges under the DFS’s new Cybersecurity Regulation to address a national data breach illustrates how, in the continued absence of a federal privacy and data security law, state enforcers will continue to play an outsized role in privacy and data-security regulation. So long as that situation continues, a few key state laws and regulators from New York and a few other big states will help drive US data protection policy and enforcement.

California regulators are likely to be next in line. With enforcement having begun July 1 for privacy protections under the new California Consumer Privacy Act, senior officials with the Office of the California Attorney General have said that while they plan to be flexible about compliance for smaller companies, CCPA enforcement will be a “big priority” for Attorney General Xavier Becerra.

And California voters will decide in November whether to create the first standalone US privacy regulatory agency when they vote on the California Privacy Rights Act. If the CPRA ballot initiative passes, Becerra would continue to enforce CCPA during an interim period while the new privacy enforcer hired staff and became operational, prior to the CPRA taking effect in 2023.

The Illinois Biometric Information Privacy Act is another state law that is having a national impact in the absence of a federal privacy law covering biometric data such as facial-recognition scans. Facebook this week agreed to sweeten, to $650 million, its offer in a federal court in California to settle BIPA litigation, and the law is the basis of litigation against Clearview AI in cases brought in California, New York and other states.

First American, which is based in Santa Ana, California, argues that its data breach was far less serious than was alleged by the New York regulator.

“As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose non-public personal information likely was accessed without authorization and otherwise found no evidence of misuse of any non-public personal information,” First American said in a statement provided to MLex by a spokesman.

Moreover, another state regulator, the Nebraska Department of Insurance, had examined the company’s data security measures in 2019 and found them to be “suitably designed" and "operating effectively,” First American said.

The DFS has scheduled a hearing for Oct. 26 in New York City before a department hearing officer on the allegations, in what appears likely to be a strongly contested case by First American.

There is one federal regulator looking into the First American breach. The title insurer acknowledged in a securities filing Thursday that it is also being investigated by the US Securities and Exchange Commission.

But the DFS case against First American underscores how, until Congress passes a comprehensive privacy and data-security law, state laws and enforcers like New York’s and California’s remain the de facto national standard for US data-protection efforts. No matter where they are based, companies must be prepared for the risk of enforcement from regulators in those states if they violate privacy or data-protection rules.

Related Articles