First American Reaches Cybersecurity Settlement With New York

December 7, 2023

First American Title Insurance Co. agreed to pay a $1 million penalty for violating New York State Department of Financial Services’ (DFS) cybersecurity regulation stemming from a breach in May 2019.

According to the department, the company learned about a design defect in one of its production applications that allowed for the possible unauthorized access to customer data.

DFS’ investigation found that, in violation of the Department’s Cybersecurity Regulation, First American failed to maintain and implement effective governance and classification, access controls and identity management, and risk assessment policies and procedures. As a result, according to DFS, First American’s application lacked sufficient access controls designed to prevent unauthorized users from gaining access to consumers non-public information.

First American’s investigation of the incident identified 32 consumers whose non-public personal information likely was accessed without authorization. The consumers have been notified and offered complimentary credit monitoring services.

In the consent order, the department acknowledged First American’s cooperation throughout the Investigation and credited the company’s ongoing efforts to enhance its cybersecurity controls to protect NPI and ensure ongoing compliance with the cybersecurity regulation.

Contact ALTA at 202-296-3671 or