Correction to the original article: First American Title Insurance Company is not associated or involved with the March 3, 2021 consent decree between Residential Mortgage and New York Department of Financial Services.
In early March, the New York State Department of Financial Services (“DFS”) entered into a consent order requiring Residential Mortgage Company to pay $1.5 million for failing to comply with Cybersecurity Regulation, Part 500 of Title 23 of the New York Code. The steep financial penalty in the consent order is a stark reminder for companies subject to Part 500 to prioritize their compliance.
In February 2017, New York enacted a law that requires financial companies to implement and report detailed framework aimed at protecting consumer data privacy. Part 500 of Title 23 of the New York Code applies to any organization regulated by DFS. This regulation largely impacts financial, banking, and insurance industries in the United States. Entities that violate this law can incur penalties up to $250,000 for each day the violation occurs or one percent of total banking assets.
Companies subject to Part 500 have been awaiting the results of this matter because it is a matter of first impression. On March 03, 2021, DFS reached its first full resolution under Part 500 with Residential Mortgage Services. DFS and Residential Mortgage Services agreed to resolve this matter without further proceedings. As a result, Residential Mortgage must pay a civil monetary penalty of $1.5 million within ten days of executing the consent order. In making this determination, DFS assessed the extent to which Residential Mortgage cooperated with DFS in its investigation, Residential Mortgage’s financial resources and good faith in responding to this investigation, the gravity of the violation and the public interest. In imposing this steep financial penalty, DFS sent a very clear message to other companies subject to Part 500: comply, comply, and comply. In addition, DFS imposed a number of remedial measures on Residential Mortgage aimed at preventing future incidents by ensuring its cybersecurity systems and customer data are secure. These measures include a cyber-security incident response plan, a cybersecurity risk assessment within 90 days of the order, and training and monitoring programs within 90 days of the order.