The New York Treasury Department (DFS) recently launched one settlement for $ 1.5 million with a Maine-based mortgage lender on allegations that the company breached state cybersecurity rules.
During a routine investigation of the company’s cybersecurity systems, DFS found that the company was failing to adequately disclose a data breach due to a phishing attack that captured the company’s consumer information. The New York Cyber Security Rule requires Companies that are licensed with DFS must “Cybersecurity events”Within 72 hours of its occurrence. The company was way outside the allotted time to report to DFS as the company’s investigation uncovered the cybersecurity incident 18 months after it occurred.
Additionally, the routine investigation revealed that the company did not have a comprehensive cybersecurity risk assessment that complies with the state’s cybersecurity rule requires. DFS requires comprehensive risk assessments to ensure that companies keep an eye on their consumers’ non-public information.
The Consent Regulation requires the company to make certain cybersecurity improvements to comply with government regulations. The company identified the customers whose data might have been accessed and offered them a credit monitoring and identity theft package for a period of time.