Breach Uncovered and Announced
On May 24, 2019, the largest real estate title insurance company in the nation, First American Financial Corporation (First American), announced they became aware of a design defect in a product application that made unauthorized access to customer data possible. First American promptly shut down external access to the web application but some of the data that was already revealed continues to remain accessible on some sites. Current reports indicate that approximately 885 million records were exposed over a period of more than 16 years. The exposed records included information such as bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images.
Immediately after the news of the breach broke, the NYS Department of Financial Services (NYSDFS) sent a letter to First American asking for information relating to the incident. This is the first test of New York State’s strict new cybersecurity regulation which went into effect in March 2019 and is considered among the toughest in the nation. The NYS cybersecurity regulation requires financial companies to regularly audit and report on how they protect sensitive data and allows the Department of Financial Services to issue fines in situations involving reckless or willful violations.
Class Action Filed
On May 27, 2019, three days after the initial announcement, First American was hit with a nationwide class action filed in Federal Court in California alleging the company ignored warnings regarding the security of its network making it vulnerable to a massive breach. The lawsuit states that “Despite explicitly promising customers robust data security as a part of the high cost of title services, First American allowed anyone to access the sensitive files of millions of customers.” First American’s investigation into the security incident is on-going.
Lessons to Learn
There are many lessons to be learned from looking at the circumstances and event time-line associated with the First American incident. To begin, the First American incident is an example of how rapidly legal and financial liability can appear and build following the discovery and announcement of a security incident – within 72 hours, there was a regulatory investigation and class action filed. The direct financial impact of the breach will be followed closely by the reputational impact the company will likely suffer.
The other very important lesson to be learned is that no company is immune from cyber risk – direct or otherwise. First American is the largest title company in the nation. The shockwaves of this breach will be far reaching – 885 million records over a period of 16 years. Consider the number of law firms, accounting firms, investors, real estate agencies and other companies that do business with (or have ever done business with) First American. Each one of these entities will be impacted to some degree.
The First American incident should also serve as a cautionary tale for corporate boards of directors. First American is a multibillion-dollar public company that offers customers title insurance, settlement services and trust services in the United States and internationally. News of the breach has caused the stock price to fall. The impact of this incident will be substantial as this matter unfolds, regardless of the ultimate outcome of the investigation. Boards of directors must make cybersecurity a priority at all costs.
Tips & Takeaways
Below are a few tips and takeaways as you consider the potential impact of the First American incident:
- Evaluate the Impact: First and foremost, determine if your organization has or had a relationship with First American within the past 16 years.
- Review Your Cyber Insurance Policy/Notify: Most stand-alone cyber insurance markets now offer coverage for Dependent Business Interruption. Determine if your policy contains this coverage and consider notifying your carrier of the incident. In addition, there could be other parts of your policy that could respond depending, of course, on the ultimate outcome of the investigation.
- Review Existing Contract with Dependent Business Vendor: Refresh your recollection regarding the terms of your agreement with the vendor. More specifically, provisions related to insurance, indemnification, confidentiality, and security incidents.
- Document the Response to the Incident: Document your response to the incident along with how the incident has/is impacting you financially. This will assist you in preparing narratives and reports that may be necessary in connection with obtaining insurance/contract-based recoveries or responding to law enforcement, regulators or lawyers.
- Review Your Insurance Portfolio: Even if your company was not directly impacted by the First American incident, this is a good time to take the time to understand the coverage you do (and don’t) have in place for similar events and risks.
EPIC’s National Cyber Team is monitoring the situation and stands ready to answer any questions you may have.
This material is for informational purposes only and not for the purpose of providing legal or insurance advice. Insurance coverage, and the terms and conditions relating to such coverage, will vary. Lemme/EPIC is not a law firm and does not provide legal advice. If such advice is needed, consult with a qualified adviser.
Kelly S. Geary
Managing Principal, National Cyber Practice Leader