United States of America: Issued ruling in DFS investigation into First American for alleged violations of cybersecurity regulation

On 28 November 2023, the New York State Department of Financial Services (DFS) concluded an investigation into First American for alleged violations of cybersecurity regulations, resulting in a penalty of USD 1 million for non-compliance. The fine is linked to a cybersecurity breach in May 2019, where a vulnerability in the company's EaglePro application led to the exposure of consumer data. The DFS investigation determined that First American did not fully adhere to required governance, access controls, identity management, and risk assessment protocols, which contributed to inadequate defence mechanisms against unauthorised access to sensitive consumer information.