NYDFS settles for mortgage lender over data breach
On March 3, 2020, the New York Department of the Treasury (“NYDFS”) announced that it had entered into a settlement with Residential Mortgage Services, Inc. (“RMS”) relating to allegations that RMS may have filed against NYDFS Violating Cybersecurity Regulation has a data breach from 2019.
According to NYDFS, RMS, a licensed mortgage banker, had a data breach involving unauthorized access to an employee’s email account. The relevant email account allegedly had “a significant amount of sensitive personal information from mortgage loan applicants” that was disclosed as a result of the compromise. NYDFS further alleged that RMS did not conduct an investigation or identify the compromised consumer data until NYDFS ordered it to do so in 2020. NYDFS then conducted an audit that found that RMS was breaching cybersecurity regulation by failing to report the breach in a timely manner. NYDFS also noted that RMS “did not have a comprehensive cybersecurity risk assessment, another requirement of the Cybersecurity Regulation.”
As part of the settlement, RMS agreed to pay a $ 1.5 million fine and make improvements to its existing cybersecurity program to bring its controls in line with cybersecurity regulation. According to the NYDFS press release, NYDFS notes that RMS has cooperated throughout the investigation and investigation and appears to be committed to expediting the cleanup of its cybersecurity controls.
Read the full NYDFS statement.