In case you missed it, on March 3, 2021, the New York Department of Financial Services (NY DFS) issued a press release stating that Residential Mortgage Services, Inc. (“RMS”) will pay a $1.5 million penalty to New York State for failing to report a 2019 security breach. The breach at issue consisted of unauthorized access to an RMS employee's email account who had access to a significant amount of mortgage loan applicants' personal data.
Per NY DFS, Failing to report this unauthorized access to the RMS employee’s email account violated New York’s Cybersecurity Regulation. NY DFS learned of the breach during a 2020 examination of RMS. Until prompted to do so by NY DFS, RMS had not investigated the breach and had not identified the data exposed.
As part of the settlement, RMS agrees to the penalty and has commenced further improvements to its existing cybersecurity program, ensuring that its cybersecurity controls are fully compliant with the Cybersecurity Regulation.
This penalty serves as a good reminder that security breaches don’t just involve unauthorized access to servers. As in the case with RMS, unauthorized access to emails that have sensitive consumer information is a security breach and must be reported.