Title insurer fined $1M in New York cybersecurity settlement

The New York State Department of Financial Services said Tuesday that First American Title Insurance Co. will pay a $1 million penalty in a settlement with the department for violating its cybersecurity regulation, in connection with a 2019 large-scale cybersecurity breach.

The department said in addition to the penalty, the Santa Ana, California-based company, which is the nation’s second–largest title insurer, will implement significant remedial measures to better secure consumer data.

This follows a fine paid to the U.S. Securities and Exchange Commission last year in connection with the same breach.

The department said in its statement that First American’s senior management first learned of a vulnerability in its proprietary EaglePro application that allowed individuals to access documents of others in unrelated transactions in addition to their own in May 2019.

It said the insurer did not maintain and implement effective governance and classification, access controls and identity management, and risk assessment policies and producers.

It said as a result, it did not have sufficient access controls designed to prevent unauthorized users from gaining access to consumers’ nonpublic information.

First Amendment said in a statement it is “pleased that this matter has been resolved.”

In June 2021, without admitting or denying the SEC’s findings, First American agreed to pay the agency a $487,616 penalty for allegedly failing to disclose a cybersecurity vulnerability.

The U.S. District Court in Los Angeles dismissed a cybersecurity lawsuit filed by a pension fund against the insurer in connection with the breach in September 2021.