On March 3, 2021, the New York State Department of Financial Services (“DFS”) announced that Residential Mortgage Services, Inc. (“RMS”), a residential mortgage lender, had agreed to pay $1.5 million to New York State following the company’s failure to report a cyber breach that exposed New York Residents’ private data in violation of New York cybersecurity regulations.
In July 2020, DFS discovered during a routine safety examination that RMS had suffered a cyber breach in March 2019, and that RMS had failed to disclose the breach to DFS at the time. The breach compromised sensitive personal data collected from mortgage loan applicants during the course of RMS’s day-to-day operations, and although RMS was aware of the breach, DFS found the company’s investigation inadequate, in that it failed to identify the exposed consumer information until DFS prompted it to do so in July 2020.
DFS found that RMS not only failed to timely report the breach, but that it also failed to have a comprehensive Cybersecurity Risk Assessment as required by 23 NYCRR 500. RMS agreed to pay DFS the $1.5 million penalty and to take steps to bring its cybersecurity program into compliance with New York’s cybersecurity regulations.