Offit Kurman Principals Charles Nerko and Daniella Casseres Published in CyberScoop
Three years after enacting one of the most exacting cybersecurity regulations in the United States, the New York State Department of Financial Services (NYDFS) recently filed its first cybersecurity enforcement action. This enforcement action shows the importance of mitigating legal risks when addressing cybersecurity risks.
NYDFS alleged that First American Financial, one of the country’s largest providers of title insurance, failed to properly address a known security vulnerability on its website that allowed millions of documents containing consumers’ nonpublic information to be exposed.
After the vulnerability surfaced in a penetration test, First American misclassified the vulnerability as “low,” failed to investigate the vulnerability in the timeframe set by the company’s cybersecurity policy, as well as the scope of documents that were exposed, and neglected to heed the recommendations of its in-house cybersecurity team.
The timing of the NYDFS’s inaugural enforcement action shows that cybersecurity remains a key priority for government agencies, even during the COVID-19 pandemic. Private litigants are increasingly prosecuting cybersecurity claims, too. While we await the results of the NYDFS’s hearing, three key lessons can be learned:
Involve outside counsel when sensitive cybersecurity issues arise. The NYDFS’s charges detail First American’s employees’ internal confusion and disagreements about how to address the vulnerability. Outside counsel can coordinate a response and minimize the chance that employees will arrive at conflicting conclusions about a security vulnerability. Outside counsel can establish a privileged channel for communications, which will reduce the likelihood of unflattering documents relating to a data incident becoming evidence in a legal proceeding. Organizations should retain competent cybersecurity counsel before cybersecurity issues arise.
Second, use outside cybersecurity experts. Under the direction of outside counsel, cybersecurity experts should be brought in to provide a detached, objective assessment of sensitive technical issues. These experts will lessen the possibility that an organization’s employees will have disputes on how to respond to a cybersecurity issue. From the perspective of employees, these disputes can destroy morale. From the perspective of government agencies and litigation adversaries, these disputes can often be looked at maliciously, compounding the problem brought on by a cybersecurity failure.
Third, remain vigilant against evolving risks. In April, the NYDFS issued guidance urging vigilance against heightened pandemic-related risks stemming from increasing remote work arrangements, phishing and fraud, and outside vendors. Organizations should periodically review their cybersecurity programs to ensure they mitigate new risks and follow evolving best practices.
ABOUT CHARLES NERKO
Charles J. Nerko is a problem-solving litigator who uses a practical and business-conscious approach to obtain favorable results amid critical circumstances. Mr. Nerko has a track record of success resolving disputes involving data privacy, technology, contracts, business torts, and restrictive covenants. He also advises clients on strategies to minimize litigation risks and protect their confidential information.
ABOUT DANIELLA CASSERES
Daniella Casseres’ legal practice focuses on laws and regulations governing mortgage lenders, mortgage brokers, financial institutions and consumer finance companies. She regularly advises clients on state and federal compliance laws and regulations including fair lending, advertising, licensing, privacy, TILA, RESPA, FHA, FCRA, and BSA requirements.
ABOUT OFFIT KURMAN
Offit Kurman is one of the fastest-growing full-service law firms in the United States. With 14 offices in seven states, and the District of Columbia, and growing by 50% in two years through expansions in New York City and Charlotte, North Carolina, Offit Kurman is well-positioned to meet the legal needs of dynamic businesses and the individuals who own and operate them. For over 30 years, we’ve represented privately held companies and families of wealth throughout their business life cycles.
Whatever and wherever your industry, Offit Kurman is the better way to protect your business, preserve your family’s wealth, and resolve your most challenging legal conflicts. At Offit Kurman, we distinguish ourselves by the quality and breadth of our legal services—as well as our unique operational structure, which encourages a culture of collaboration and entrepreneurialism. The same approach that makes our firm attractive to legal practitioners also gives clients access to experienced counsel in every area of the law.
Find out why Offit Kurman is The Better Way to protect your business, your assets and your family by connecting via our Blog, Facebook, Twitter, Instagram, YouTube, and LinkedIn pages. You can also sign up to receive LawMatters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.
DELAWARE | MARYLAND | NEW JERSEY | NEW YORK | NORTH CAROLINA | PENNSYLVANIA | VIRGINIA | WASHINGTON, DC