First American Title, one of the largest providers of title insurance in the U.S., is facing allegations that it exposed the personal data of millions of its customers.
The New York State Department of Financial Services (DFS) filed charges on Wednesday (July 22) against the Santa Ana, California-based company, which wrote more than 50,000 policies in New York last year. Regulators allege violations of the state’s cybersecurity regulation.
DFS said that millions of documents – many containing bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers’ license images – were compromised.
The complaint alleges that a breach of First American’s information systems resulted in the exposure of consumers’ sensitive personal information over several years. DFS claimed that First American has known about the vulnerability for nearly two years, but failed to fix it.
DFS alleges that First American did not follow its own privacy protection policies, and neglected to conduct a security review of the flawed computer program and the sensitive data associated with the data vulnerability.
After the data exposure was discovered by an internal test in 2018, First American reviewed less than a dozen of the millions of documents exposed and thereby grossly underestimated the seriousness of the vulnerability, DFS charged.
Violations carry penalties of up to $1,000 for each instance.
A hearing is scheduled at DFS offices for Oct. 26.
First American denied the allegations. “Our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose nonpublic personal information likely was accessed without authorization and otherwise found no evidence of misuse of any nonpublic personal information,” First American said. “None of these identified consumers were New York residents.”
The company said the Nebraska Department of Insurance examined the company’s information security program last summer and concluded that controls are suitably designed and operating effectively. “At First American, security, privacy and confidentiality are of the highest priority, and we intend to vigorously defend ourselves against the Department’s unreasonable charges,” the statement said.
In May, a class-action lawsuit was filed against First American Financial Corp. in U.S. District Court for the Central District of California by Gibbs Law Group on behalf of David Gritz, a resident of Pennsylvania who had bought and sold several homes. The lawsuit contends that First American broke its privacy promises by storing sensitive documents on a publicly accessible system.