The data breach we discussed in May originating from First American Financial Corp., a national leader in the real estate title insurance industry, has had some traction with regulatory investigations.
Both the US Securities & Exchange Commission and New York Department of Financial Services have committed to inquiries of wrongdoing and negligence by the company.
The regulatory bodies have oversight of the financial industry, to include insurance, under GLBA and the newly created 23 NYCRR 500. Both these regulations enact basic requirements around Information Security to be implemented by financial companies.
The investigations come after a class action lawsuit against First American has been filed in California. The filing alleges First American failed to implement even rudimentary security measures.
Clients of First American may soon receive letters from investigators requesting they preserve and share any documents or evidence they have related to the data breach.
As regulatory requirements for the financial industry and others become more enforced, companies will come under increasing scrutiny in how they manage and protect customer data.
A comprehensive Information Security & Privacy program provides the evidence of due care and diligence that allows board members and executives the right to hold their heads high after a breach.