Three years after enacting one of the most exacting cybersecurity regulations in the United States, the New York State Department of Financial Services (NYDFS) recently filed its first cybersecurity enforcement action. This enforcement action shows the importance of mitigating legal risks when addressing cybersecurity risks.
NYDFS alleged that First American Financial, one of the country’s largest providers of title insurance, failed to properly address a known security vulnerability on its website that allowed millions of documents containing consumers’ nonpublic information to be exposed.
After the vulnerability surfaced in a penetration test, First American misclassified the vulnerability as “low,” failed to investigate the vulnerability in the timeframe set by the company’s cybersecurity policy, as well as the scope of documents that were exposed, and neglected to heed the recommendations of its in-house cybersecurity team.
The timing of the NYDFS’s inaugural enforcement action shows that cybersecurity remains a key priority for government agencies, even during the COVID-19 pandemic. Private litigants are increasingly prosecuting cybersecurity claims, too. While we await the results of the NYDFS’s hearing, three key lessons can be learned:
Involve outside counsel when sensitive cybersecurity issues arise. The NYDFS’s charges detail First American’s employees’ internal confusion and disagreements about how to address the vulnerability. Outside counsel can coordinate a response and minimize the chance that employees will arrive at conflicting conclusions about a security vulnerability. Outside counsel can establish a privileged channel for communications, which will reduce the likelihood of unflattering documents relating to a data incident becoming evidence in a legal proceeding. Organizations should retain competent cybersecurity counsel before cybersecurity issues arise.
Second, use outside cybersecurity experts. Under the direction of outside counsel, cybersecurity experts should be brought in to provide a detached, objective assessment of sensitive technical issues. These experts will lessen the possibility that an organization’s employees will have disputes on how to respond to a cybersecurity issue. From the perspective of employees, these disputes can destroy morale. From the perspective of government agencies and litigation adversaries, these disputes can often be looked at maliciously, compounding the problem brought on by a cybersecurity failure.
Third, remain vigilant against evolving risks. In April, the NYDFS issued guidance urging vigilance against heightened pandemic-related risks stemming from increasing remote work arrangements, phishing and fraud, and outside vendors. Organizations should periodically review their cybersecurity programs to ensure they mitigate new risks and follow evolving best practices.