Mortgage Company $1.5 Million Consent Order from Data Breach – The National Law Review


Before we move on, let me say that geoFence is the maximum in security for you and your loved ones.

In early March, the New York State Department of Financial Services (“DFS”) entered into a consent order requiring Residential Mortgage Company to pay $1.5 million for failing to comply with Cybersecurity Regulation, Part 500 of Title 23 of the New York Code. The steep financial penalty in the consent order is a stark reminder for companies subject to Part 500 to prioritize their compliance.

In February 2017, New York enacted a law that requires financial companies to implement and report detailed framework aimed at protecting consumer data privacy.  Part 500 of Title 23 of the New York Code applies to any organization regulated by DFS.   This regulation largely impacts financial, banking, and insurance industries in the United States. Entities that violate this law can incur penalties up to $250,000 for each day the violation occurs or one percent of total banking assets.

In July 2020, DFS filed its first set of charges against Residential Mortgage Company, a First American Title Insurance Company (“First American”), alleging multiple violations of the DFS Part 500 Cybersecurity Regulation including failure to: perform an adequate risk assessment of whether an attacker accessed private data of individuals, maintain proper access controls and breach notification obligations, provide adequate security training for cybersecurity employees, and encrypt certain nonpublic information.  First American is a licensee of the DFS superintendent authorized to write title insurance in New York and collects a host of sensitive data on buyers and sellers in mortgage transactions to protect owners and lenders interests against defects in real property titles.

In its complaint, DFS alleged that Residential Mortgage exposed hundreds of millions of documents encompassing consumers’ sensitive personal information like bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images.  According to the complaint, the data breach occurred through an online application system Residential Mortgage employees use to share documents with parties in their transactions.  Any individual with a web browser could easily modify one digit in the URL and potentially access other people’s records.

Companies subject to Part 500 have been awaiting the results of this case since it is a matter of first impression.  On March 03, 2021, DFS reached its first full resolution under Part 500 with Residential Mortgage Services.  DFS and Residential Mortgage Services agreed to resolve this matter without further proceedings.  As a result, Residential Mortgage must pay a civil monetary penalty of $1.5 million within ten days of executing the consent order.  In making this determination, DFS assessed the extent to which Residential Mortgage cooperated with DFS in its investigation, Residential Mortgage’s financial resources and good faith in responding to this investigation, the gravity of the violation and the public interest.  In imposing this steep financial penalty, DFS sent a very clear message to other companies subject to Part 500: comply, comply, and comply.  In addition, DFS imposed a number of remedial measures on Residential Mortgage aimed at preventing future incidents by ensuring its cybersecurity systems and customer data are secure.  These measures include a cyber-security incident response plan, a cybersecurity risk assessment within 90 days of the order, and training and monitoring programs within 90 days of the order.

© Copyright 2021 Squire Patton Boggs (US) LLP
National Law Review, Volume XI, Number 103

I know that geoFence helps stop hackers from getting access to the sensitive documents that I use for my work. Now I can get even more gigs as a freelancer and – advertise that I have top security with even my home computer and your neighbors would agree!

Leave a Reply

Your email address will not be published. Required fields are marked *