Clifford Chance

The New York State Department of Financial Services ("DFS") has fined a mortgage lender $1.5 million to settle violations of its Cybersecurity Regulations.

DFS Cybersecurity Regulation

The DFS Cybersecurity Regulations took full effect in March 2019. As we have discussed previously, the DFS Cybersecurity Regulations require covered entities to, among other things, put a Cybersecurity Program and Policy in place, conduct cyber risk assessments, have an incident response plan, provide annual certifications of compliance to DFS, and provide notices of "Cybersecurity Events" to the Superintendent with 72 hours of determining there has been an event.

This enforcement action is the second to be announced by DFS under its Cybersecurity Regulations and the first settlement that the agency has achieved.

The breach and DFS Investigation

Residential Mortgage ("RM") is based in Maine but has been licensed by DFS in New York State since 2017. According to the settlement documents, in March 2020, DFS conducted a routine, general compliance review of RM and during the review, DFS discovered that RM had been victim of an apparent cybersecurity event in 2019 that it had not previously reported.
The cybersecurity event stemmed from individual RM employee responsible for collecting substantial amounts of sensitive personal data clicking on a malicious link in a phishing email. RM had instituted a multifactor authentication application to secure access to employees' email accounts, but in this instance, the employee also tapped her mobile phone screen four times to give her approval in a response to a notification that someone was seeking access her email account.

Immediately after the incident, RM IT staff determined that the cyber intruder had accessed the employee's email account on four occasions. RM IT staff blocked any further access, but after concluding that the incident was limited to one employee's email account, they failed to conduct any further investigation into the scope of the breach, particularly as to whether any individuals' personal data may have been accessed. In fact, the employee was responsible for handling a significant volume of customers' personal data, including social security numbers and bank account numbers.

With relation to this breach, DFS found that RM "failed to (1) identify whether Employee's mailbox contained private consumer data during the breach, (2) identify which consumers were impacted, and (3) apply the applicable state notice requirements triggered by the breach." As a result of these failures, RM failed to provide notice to DFS within 72 hours of becoming aware of the breach. It was only after DFS prompted RM to conduct a full investigation, 18 months after the breach, that it investigated and considered which state data breach notification statutes may have been triggered by the incident.

The routine investigation also determined that RM had not conducted a comprehensive cybersecurity risk assessment, as required by the Cybersecurity Regulations. DFS emphasized that a cybersecurity risk assessment should encompass risks to a company's information systems as well as risks to the personal information of its customers.

After the conclusion of DFS's evaluation, RM retained outside counsel and a cybersecurity consultant to fully investigate the breach. As part of the investigation, RM identified all individuals whose personal information had been accessed during the breach, made notifications to them as required under state laws, and offered them free credit monitoring services.

Penalty

In announcing the $1.5 million penalty, DFS acknowledged RM's "commendable cooperation" throughout the examination and recognized RM's commitment to remediation. In addition to the monetary penalty, RM is also required to develop and submit to DFA (1) a comprehensive written Cybersecurity Incident Response Plan and (2) a comprehensive Cybersecurity Risk Assessment (3) other documents relating to the training of employees and monitoring of its IT systems.

Takeaways

Conduct full investigation: As this incident demonstrates, phishing attacks have the potential to trigger notification requirements under state data breach notification laws. When you become aware of a successful phishing attack, an important element of the response should be scoping the extent of the breach, including an assessment of the types of personal data potentially impacted, the number of individuals' whose data may have been accessed, and the jurisdictions impacted by the breach.

Adequate Employee Training: Successful phishing attacks often combine measures of social engineering with malicious technical code. As such, it is paramount that employees are trained to recognize suspicious emails and activity relating to their email accounts. In this instance, although RM had instituted multifactor authentication, the actions of one employee allowed an intruder to access a significant volume of customers' sensitive personal data.