Poyner Spruill Welcomes Education Law Practice Group

Sign Up Created with Sketch. Want to receive our thought leadership?     Sign Up

The New York Department of Financial Services (NYDFS) has launched its first enforcement action under New York’s Cybersecurity law for financial services, so-called Part 500. Part 500 requires NYDFS licensed institutions to adhere to certain privacy and cybersecurity standards.

Part 500 took full effect in March 2019. It required NYDFS licensed firms to undertake risk assessments for the Non Public Information (NPI) that they processed. Their cybersecurity practices had to correspond to the NPI’s nature, volume, and sensitivity.

Here, NYDFS alleged that the insurer had violated Part 500 obligations. Specifically, NYDFS contended that the company did not fix a known vulnerability in its document-handling program. Cyber defense staff discovered the problem in December 2018. But the company took another six months to address the issue. This failure allegedly compromised millions of documents.

NYDFS determined that the insurer had stored documents used to obtain title insurance in a proprietary document management system. The documents were sequentially numbered. This system, together with the absence of any verification procedures, enabled unauthorized viewers to access the documents. Some documents even appeared in Google search results.

Describing the  response as “a cascade of errors”, NYDFS cited the insurer for allegedly:

The NYDFS action is a strong shot across the bow to NYDFS-licensed entities. At a minimum, entities should have:

Falling short of these standards potentially entails $10,000 per NYDFS-defined violation. A stiff price tag by any measure.

◀︎ Back to Thought Leadership