NY-DFS and SEC Show Teeth, but will they Bite? 

Privacy Plus+

Privacy, Technology and Perspective

NY-DFS and SEC Show Teeth, but will they Bite?  This week, let’s consider the investigations and class actions currently faced by insurance giant, First American Financial Corp (NYSE: FAF).  What we wonder is whether all these charges will be material from a financial perspective.  Here’s why:

FAF is facing charges brought by New York Department of Financial Services (“NY-DFS”), an investigation by the Securities and Exchange Commission (“SEC”), and four class actions, all stemming from the discovery and disclosure of a security vulnerability reported by noted security blogger Brian Krebs in 2019.  The vulnerability on FAF’s website is alleged to have exposed tens of millions of title insurance records containing sensitive personal information, including Social Security numbers, bank account numbers, drivers’ license images, and wire transaction receipts. 

Generally, NY-DFS has charged FAF with violating its Cybersecurity Requirements for Financial Services Companies, 23 NYCRR Part 500 (“Cybersecurity Regulation”).  (Among other things, the Cybersecurity Requirements require financial services companies to certify annually that they have implemented robust cybersecurity programs aligned with five key areas of the NIST framework.) NYDFS says that the security vulnerability went undetected for years, and that FAF compounded its error by its willful failure to remediate it. Specifically, NYDFS alleges that the vulnerability was actually discovered in December 2018 by a penetration test, but that FAF willfully failed to remediate it.  A link to NYDFS’s Statement of Charges and Notice of Hearing follows:

https://www.dfs.ny.gov/system/files/documents/2020/07/ea20200721_first_american_notice_charges.pdf

Separately and in addition to the NY-DFS charges, the SEC is questioning the adequacy of public disclosures FAF made at the time of the incident and the adequacy of its disclosure controls.  And not to be left out, at least four class actions are pending in civil courts. 

Brian Krebs was the first to report this incident. For more background, you can click on the following link to KrebsOnSecurity and its post regarding this incident and its fallout:

https://krebsonsecurity.com/tag/first-american-financial-corp/

We have previously predicted that privacy and cyber-liability could rise to a “material” level for financial reporting and disclosure purposes.  You can click on the following link to read our previous post regarding the criminal indictment of Blue Bell’s CEO and recent derivative ligation against boards that fail to implement reporting or information system or controls or having implemented such a system or controls, that fail to monitor or oversee their operations:

https://www.hoschmorris.com/privacy-plus-news/privacy-and-cyber-liability

You can also review this post regarding the Federal Trade Commission’s $5 billion settlement with Facebook by clicking on the following link:

https://www.hoschmorris.com/privacy-plus-news/privacy-plus-july-27-2019

More recently, in August, news broke that Uber’s Global CISO was criminally charged for allegedly covering up a security incident.  You can click on the following link to read more about that development:

https://www.cbronline.com/news/ciso-charged-joe-sullivan-uber

Despite the trend toward heightened scrutiny on controls, hefty fines, and perhaps even criminal liability, FAF concluded its report on the incident during its Q2 Earnings Call in July: “We do not believe that these investigations and class actions will be material from a financial perspective.” A link to FAF’s Earnings Call transcript follows:

http://s21.q4cdn.com/992793803/files/doc_financials/2020/q2/FAF-USQ_Transcript_2020-07-23.pdf

On this point, we depart from our normal sunny and cheerful dispositions and take a somewhat darker view. Much or all depends on the facts, which are limited for now; and leaping to conclusions would be wrong. But if it becomes apparent that NYDFS can prove that FAF negligently skipped over a known and dangerous security vulnerability, the resulting fines, damages, and other costs may well cross the threshold of “materiality” for the company – not to mention for responsible individuals.  If facts reveal that it actively concealed the vulnerability, the consequences would be even worse.

After all, the SEC’s own guidance suggests that data breaches are likely to be material, board-level concerns which may give rise to graver issues, especially when the company has knowledge regarding the incident.  A link to the SEC’s guidance follows:

https://www.sec.gov/rules/interp/2018/33-10459.pdf

The authorities’ teeth were always there.  They have growled before.  Scan across FAF, Blue Bell, Uber, Facebook…they are baring their teeth.  The question is will they bite? 

---

Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.