A mortgage lender entered into a settlement with the New York State Department of Financial Services ("NYDFS") after a finding that the mortgage lender failed to report a 2019 cyber breach that exposed the sensitive personal data of mortgage loan applicants.

As described in the Consent Order, NYDFS determined that the email of an employee of the mortgage lender was compromised by an unauthorized entity as a result of the employee responding to a phishing email. In response to the incident, the mortgage lender's information technology ("IT") staff blocked the intruder from further access. NYDFS found that the mortgage lender and its IT staff failed to (i) ascertain whether the employee's email contained private consumer information during the breach, (ii) identify the consumers impacted by the breach, (iii) provide the required notices triggered by the breach or (iv) notify the NYDFS within 72 hours of the incident, as required under 23 NYCRR 500 ("Cybersecurity Requirements for Financial Services Companies").

NYDFS concluded that the company's failure was egregious, considering the employee whose email was breached regularly handled consumers' sensitive personal data, including Social Security numbers and bank account numbers. NYDFS acknowledged the mortgage lender's "commendable cooperation" throughout the NYDFS examination that revealed the breach, and credited the lender for its remediation efforts, including (i) automated warnings on emails from external sources, (ii) automated filtering of incoming emails to identify phishing, (iii) the filtering and analysis of IP addresses to halt access from suspicious locations, and (iv) routine third-party cybersecurity testing.

To settle the violations, the mortgage lender agreed (i) to pay a $1.5 million civil monetary penalty and (ii) to an undertaking to further enhance its existing cybersecurity program.

Primary Sources

  1. NYDFS Press Release: Department of Financial Services Announces Cybersecurity Settlement with Mortgage Lender - Residential Mortgage Services Failed to Report a Cyber Breach Exposing New York Residents' Private Data
  2. NYDFS Consent Order: Residential Mortgage Services, Inc.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.