A Q&A with Jena Valdetero of Bryan Cave Leighton Paisner LLP
Cybersecurity regulators at New York’s Department of Financial Service (NYDFS) recently demonstrated their commitment to aggressive enforcement with charges against First American Title Insurance Company. First American, the agency alleges, did not address known vulnerabilities in its systems that contained consumers’ personal data. We spoke to Jena Valdetero, partner and co-leader of the data privacy and security team at Bryan Cave Leighton Paisner LLP about the precedent of this case, and what companies can expect from regulators going forward.
What are some of the unique and critical issues surrounding this case?
JV: The First American case sends a warning to other similar organizations that they need to step up their cybersecurity game. The NYDFS seems particularly concerned with the period of time that the security vulnerability that went undetected – for more than five years. What has likely compounded the charges against First American is the fact that once they discovered the vulnerability, they characterized it as being a “medium” risk, a conclusion with which the NYDFS appears to vehemently disagree. They later mischaracterized it as a “low” risk.
The vulnerability then allegedly was not fixed until six months after it was discovered, despite an internal requirement to remediate low risks within 90 days. In addition, The NYDFS faults First American for failing to follow its own policies and procedures of remediating known vulnerabilities within a certain timeframe.
The NYDFS also seemed concerned about the lack of a process for identifying documents that contained non-public personal information (NPI). To a large degree, First American is facing the same issues that many large companies face in the cybersecurity space. Giant companies are so big that it’s difficult to move quickly and ensure that the right person has ownership over each security issue.
Given that DFS requires covered entities to take specific steps to fortify cybersecurity protocols and to report breaches within 72 hours, would you agree that one of the essential controls that needs to be in place proactively would be an actionable incident response plan?
JV: We always recommend that companies have an incident response plan, but what’s interesting here is that reasonable people could argue about when this became a true security incident. The vulnerability was discovered as part of a penetration test, so it’s debatable whether that is a true “incident.” However, the discovery should have triggered activation of the incident response team.
At that point, however, First American appears to have taken action, notified the NYDFS and hired a forensic investigator. One issue is that the access logs only went back 11 months (a common problem in incidents with long-term potential exposure), and it simply could not confirm whether the data before that time had been at risk.
The DFS regulator appears to be pursuing a fine or settlement of $1000 per record. Might this arguably bankrupt many clients?
JV: Many statutes set forth statutory fines that, at first glance, appear to be fairly reasonable. However, as you point out, it’s all in the calculation. What will likely happen is First American and the NYDFS will cut a deal and settle the matter, assuming the allegations in the complaint are true(ish). The NYDFS’s goal is to drive companies to compliance–they aren’t looking to drive them out of business.
Was there any a) forensic proof that the data exposed was in fact taken by a threat actor or criminal; or (b) evidence of fraud within this large pool of victims that correlates back to FATI?
JV: According to the complaint, the only third parties who they know viewed some of the documents were well-respected reporter Brian Krebs, an unidentified individual who appears to have tried to warn First American (likely a “white hat” hacker, and the penetration test consultant. The logs that were available to First American indicated that in 2018-19, more than 350,000 documents were “accessed without authorization by automated bots or scraper programs designed to collect information on the internet.”
While not great, it is likely that the bots or scrapers related to automated search engine sourcing and not a person with bad or unknown motives. It is highly likely that the individuals whose information was potentially exposed will never realize harm as a result.
One of the issues we noted was that FATI identified risks by past assessment that were not remediated in a timely manner. Can you add any detail as to what the regulator considers “timely?” Might this be problematic for many organizations given that risk assessments can often identify hundreds of cyber risk issues in even forward-leaning organizations, some of which might be arguably theoretical vulnerabilities flagged by automated cybersecurity scanning tools?
JV: This is exactly the issue. I suspect First American will have experts support their categorization of the risk level. Regardless, the NYDFS looked at First American’s only policies for remediating even low-risk events and found that they failed to do so within the 90 days prescribed by their own policy. Pen tests and risk assessments are bit of a “seek and ye shall find” exercise—there will always be issues discovered even with the best company.
Many laws, including NYDFS cyber regulations, require these types of tests, but addressing all of the issues identified is another story. Most companies have limited resources and will often prioritize the more serious issues.
Any suggestions for client in need of compliance with DFS?
JV: The NYDFS is definitely flexing its muscle with this complaint and sending a message to all covered entities that it is willing to pursue enforcement actions against companies it deems egregiously in violation of requirements. Increasing regulation in the cybersecurity space is in direct response to the increasing sophistication and number of data security incidents facing companies.
So, while it may be a nuisance to have to comply with yet another costly regulation, companies should look at compliance as an opportunity to protect themselves against a potential cyberattack.
We want to thank Ms. Valdetero for her thoughtful comments on this emerging cybersecurity regulatory issue. Many of our clients and insurers within the financial services sector are paying attention to how this regulation will be interpreted and enforced. This conversation underscores several key takeaways, such as the importance of responding to revealed cybersecurity vulnerabilities in a prudent and timely manner, and striving to adhere to internal policies governing security and incident response. A final note of appreciation to Ms. Valdetero—she is a leading legal expert inside the cyber risk insurance industry and we’re grateful for her insights.