A title insurance company has become the first insurance company accused of violating the New York State Department of Financial Services' 2017 cybersecurity regulation.
On Tuesday, DFS accused First American Title Insurance Co. to disclose millions of documents that contained consumers' sensitive personal information, including bank account numbers, mortgage and tax records, social security numbers, transaction receipts and driving license images.
Santa Ana, California-based First American, one of the largest providers of title insurance in the United States, signed more than 50,000 policies in New York State in 2019, DFS said in a statement.
The agency said that a vulnerability in insurance companies 'information systems resulted in exposure of consumers' sensitive personal information for several years and that First American failed to remedy the exposure immediately after it was discovered in December 201
New York law provides for penalties for up to $ 1,000 per violation, according to DFS.
A hearing on the allegations is scheduled for October 26.
First American issued a statement saying that it "strongly agrees" with the allegations "of a limited cyber security incident from May 2019.
" As we reported in July 2019, our investigation of the incident, which was conducted with a external forensic technicians, a very limited number of consumers whose non-public personal data were probably available without permission and otherwise no evidence of misuse of non-public personal information was found. None of these identified consumers were New York residents. "
The statement added:" At the first American, security, integrity and privacy are the highest priority, and we intend to vigorously defend ourselves against the department's unreasonable accusations.  The Cybersecurity Regulation, which entered into force in March 2017, requires insurance companies and other financial institutions to set up controls to ensure a robust cybersecurity program.