A New York State Department of Financial Services Cybersecurity Regulation issued in March 2017 is the impetus for the First American Financial Data Breach Lawsuit. The financial company still faces civil charges for its lack of security measures and “strongly disagrees with these allegations.” While the amount of the settlement seems low given the scope of the breach, the CEO of Volkov Law Group, a former assistant U.S. attorney, said it is significant nonetheless.
First American’s failure to implement even rudimentary security measures
A lawsuit filed against First American Financial Corp. for failing to secure sensitive files and documents revealed that 885 million files were available to anyone without authentication. These files included financial records, social security numbers, and bank account numbers. First America failed to implement even the most basic security measures, according to Gritz’s lawyers. In the lawsuit, Gritz claimed that his identity was exposed because of the failure of First American to implement basic security measures.
In response to the lawsuit, First American has shut down all external access to its servers and hired an outside forensic firm to determine the extent to of customer information is compromised. The company maintains that there is no evidence that large-scale unauthorized access occurred, and the company has retained an outside forensic firm to determine the extent of the unauthorized access. In the meantime, the SEC has not yet responded to requests for comment.
Misleading risk factor disclosures
A class action lawsuit filed by St. Lucie County Firefighters Pension Trust Fund alleges that First American Financial Corp. failed to disclose a vulnerability that led to the breach of sensitive data held by 850 million customers. The breach resulted in a steep decline in the stock price. On Friday, U.S. District Judge Dale S. Fischer dismissed the lawsuit, stating that First American had not shown that it was aware of the data breach when it made its risk factor disclosures.
In addition to misrepresenting risk factors, the defendants may not be fully transparent about how the data breach happened. It is unlikely that the victims will know that the data breach occurred until they receive notification from the company. As a result, these companies should take action immediately to prevent such breaches from occurring in the future. Moreover, investors should be aware of any changes in their accounts, including the risk of a data breach.
Negligence
The federal court dismissed a data breach lawsuit filed by First American Financial Corp. because the company violated its customers’ privacy and breached their security agreements. The personal information stolen in the data breach included Social Security numbers, bank account numbers, financial records, and tax records. Some of the information was even photos of drivers’ licenses. As a result of this security lapse, hundreds of millions of customers’ files were exposed. This left the victims of the breach at risk of identity theft.
The plaintiffs in the lawsuit failed to prove that First American violated their privacy when they disclosed that the data breach occurred. The court found that the risk of future harm was too low to pursue the lawsuit. Therefore, the plaintiff’s failure to prove negligence in the case could mean that First American is forced to pay a substantial portion of the costs of breaching the orders. The plaintiffs may also pursue monetary damages against First American for breaching the orders.
Exposure of 885 million records
The security flaw discovered by a real estate developer on First American Financial Corp.’s website resulted in the exposure of 885 million records. The breach was linked to a security issue regarding document access, search, and security. The affected records include personal information such as Social Security numbers and other sensitive information. According to reports, the company has confirmed the breach but declined to provide further details.
According to the lawsuit, First American has failed to protect 885 million records from being accessed by unauthorized individuals. The firm’s website contained information about pending mortgage deals dating back to 2003. First American is now facing a cybersecurity enforcement action from New York regulators, which could lead to steep financial penalties for the company. The company is headquartered in Santa Ana, California, employs approximately 18,000 people, and generated $6.2 billion in revenue last year.
Class action suit
A federal judge has dismissed the latest class action suit against First American over its data breach. In a ruling last year, the court found that the company had made general statements about its security practices and controls, which were untrue and therefore not actionable misrepresentations. A new case is pending. A judge may rule on the class action suit as early as October. For the time being, however, there is little reason to expect that the suit will go forward.
The lawsuit alleges that First American Title Insurance Company lacked security for the information it holds on its customers. The breach exposed nearly 800 million records of mortgages, personal information like Social Security numbers, tax records, and bank account numbers. This exposed information made innocent customers vulnerable to identity theft and other crimes. Furthermore, First American promised its customers robust security measures as part of their high-priced title services. Ultimately, the breach was a mistake and left hundreds of millions of its customers exposed to financial and identity theft.
