You may be fined, even if your data is never hacked
It generally is understood that if internal data is compromised and confidential customer data falls into the wrong hands, bad things will occur. Most of us simply keep our fingers crossed and hope that a cyber-attack never occurs. Unfortunately, a recent set of announced fines from the CFPB, SEC, and FTC reveals that even if you are “lucky enough” to avoid a data breach incident, you still may be in danger of incurring a serious fine.
A blog written by the law firm Holland and Hart, LLP, “Waiting May Cost You: Sanctions for Inadequate Cybersecurity Practices May Be Imposed Before a Cyber Attack,” discusses three recent enforcement actions. While none of the companies fined were in the title industry, all made mistakes similar to those I have observed title agencies make.
A $100,000 fine was levied in In the Matter of Dwolla, Inc. As the consent order reveals, Dwolla openly represented to the public that use of its services was “safe and secure.” However, when the CFPB evaluated Dwolla’s operations, it came to the opposite conclusion and found Dwolla had “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.”
According to In the Matter of Craig Scott Capital, LLC [CSC], Craig S. Taddonio and Brent M. Porges, the SEC determined that CSC had failed “to adopt written policies and procedures reasonably designed to insure the security and confidentiality of customer records and information.” No breach had occurred and no customer information was lost, but the SEC levied the fine merely because CSC was unprepared to deal with an internal or external risk of a breach. The company did possess “written supervisory procedures,” but the SEC found them inadequate or determined they contained blanks where key provisions were to appear. This description reminded me of the dozens of policies and procedures manuals we have reviewed from title agents who maintained that they were “almost ready, but were still a ‘work in progress.’” In the end, in addition to the $100,000 fine imposed on CSC, the SEC levied an additional $25,000 fine on each company officer.
In the FTC action against Henry Schein Practice Solution, Inc., a software company servicing dental practices, a $250,000 fine was levied for falsely representing that it “provided industry-standard encryption” with regard to sensitive customer information. The complaint alleged that the level of encryption utilized was below that which had been adopted in the industry and, therefore, the company had misled its customers. In the title world, there is a growing perception that ALTA Best Practices compliance is becoming recognized as the title industry standard. If so, a title agency’s self-certification maintaining that it complies with Best Practices could render it vulnerable to a fine if it were determined that the company did not actually adhere to those standards. This is not the first time I have explored the dangers associated with self-certification.
Levied fines are part of the penalties that may be imposed
Some readers may assert, “Even if I were to be investigated by one of these regulators, my company is so small that they would never impose a fine of the size levied on these companies.” That may or may not be the case, but even if you are fortunate enough to receive a substantially smaller fine, you likely will not escape a host of other routine obligations that the regulator is likely to impose requiring you to:
- Provide your clients with a written admission that you made misrepresentations as to your ability to protect their NPI, or otherwise specifically identify the violation asserted by the regulator.
- Provide an outside assessment or conduct future assessments of your business operations to verify that you have not allowed identical problems to occur. In some cases, you may be required to conduct these re-assessments for the next 5 to 10 years.
- Provide agreement that you will not be reimbursed for any fine imposed through insurance coverage that you may have in place.
- Provide agreement that you will not use the fine paid to achieve any tax benefit or credit against additional civil or administrative action that may be imposed in the future.
In short, although everyone dreads the dire consequences of a data breach, the discovery that you are unprepared for such an event can be almost as devastating. As the Holland and Hart blog concludes, regulators are looking closely at those who control substantial sources of NPI, and evaluating whether companies have effective security plans in place. Equally important, however, is that it appears regulators are scrutinizing whether your representations to the public regarding security are in conformity with what your company is actually doing on a day-to-day basis. It is critical that you continually reassess your security policies and procedures to ensure that you are able to defend the effectiveness of your security plan.