First American Financial Corporation Settles SEC Case for $487,616 for Cybersecurity Data Breach and Disclosure Failures
The Securities and Exchange Commission is gaining traction in the enforcement of cybersecurity and disclosure requirements. The SEC has a lot on its plate these days – ESG, cybersecurity, and the traditional mix of enforcement cases.
While the new Chairman has been chomping at the bit, he stumbled out of the gate in his selection of a new enforcement director, Alex Oh, who eventually resigned after being disciplined by Judge Royce Lamberth for misconduct in a long-running civil case.
It may take a few more weeks, but the SEC is getting ready to begin a series of aggressive enforcement programs.
The First American enforcement matter focused on its disclosure controls and procedures relating to cybersecurity vulnerabilities involving its “EaglePro” application for sharing document images related to title and escrow transactions. First American failed to maintain adequate disclosure controls to ensure that all available relevant information concerning the vulnerability was analyzed for disclosure in its reports filed with the SEC.
On May 24, 2019, a cybersecurity journalist notified First American that its application had a vulnerability exposing over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data (e.g. social security numbers and personal financial information).
First American issued a press statement that was included in the journalist’s article published that same day. Four days later, on May 28, 2019, filed a Form 8-K about the incident.
However, First American’s senior executive responsible for the press statement and Form 8-K were not informed about certain information concerning the security personnel’s prior knowledge of a vulnerability in the EaglePro system before making these statements. This information was relevant to senior management’s assessment of the company’s disclosure response to the vulnerability and the resulting risk from the incident.
Specifically, First American’s senior executives were not told that the company’s information security personnel had identified a vulnerability several months earlier in a January 2019 manual penetration test of the EaglePro application or that First American had failed to remediate the vulnerability in accordance with its risk management policies.
The SEC concluded that First American did not maintain adequate disclosure controls and procedures designed to ensure that senior management had relevant information about the January 2019 test prior to issuing First American’s disclosures about the vulnerability.
EaglePro is a service used to collect customer information and issue title insurance policies on residential and commercial property, and providing closing and escrow services. As part of the service, First American uses property-related data, which often contains purchasers’ and sellers’ non-public personal information (NPPI), such as social security numbers and financial information.
The EaglePro application is used to transmit images of tile and escrow documents to customers through unique resource locators (URLs) or web addresses. First American title and escrow personnel generated and sent EaglePro document package which included images from Frist American’s database of escrow and title related document images.
The EaglePro database contained approximately 800 million images. The document images were supposed to bear an “SEC” secure legend, which Frist American personnel tagged manually and misclassified a number of documents. A 2018 internal analysis concluded that tens of millions of images failed to contained the required “SEC” tag.
First American’s 8-K SEC filing attached a copy of the press release and indicated that First American had no prior indication of any vulnerability. That statement demonstrated that First American’s senior management was not properly informed of the prior report of a vulnerability and a failure to remediate the problem.
Unbeknownst to these senior executives, the company’s information security personnel had been aware of the vulnerability for months and the company’s information technology personnel did not remediate it, leaving millions of document images exposed to potential unauthorized access for months. Indeed, subsequent to the furnishing of the May 28, 2019 Form 8-K, the company’s information security personnel determined that the vulnerability had in fact existed since 2014.