On June 15th, 2021, the Securities and Exchange Commission (“SEC”) charged First American Financial Corporation, a real estate financing service company headquartered in California for violating policies regarding procedure control of cybersecurity vulnerability. First American is a publicly traded company registered with the SEC under Section 12 (b) of the Exchange Act, and it agreed to pay a civil penalty of approximately $500,000 to settle the charge.
The SEC claimed in the complaint that First American’s services involved data containing real estate purchasers’ nonpublic personal information (“NPPI”). The information may have contained customers’ social security numbers and financial information, supposed to be kept private. However, First American’s system did not maintain a procedure adequately protecting sensitive data. Instead, its system contains a security loophole that allows unauthorized access to its customers’ personal information. This was done through documents containing private information sent to their designated receiver through web addresses, linking to First American’s repository. By simply editing the number in the web address, one could obtain unauthorized access to others’ documents. In addition, the documents containing private information were supposed to be labeled “secured” and require a password to access, but due to a manual error, there were many misclassifications. The two vulnerabilities combined exposed over 800 million “secure” documents dating back to 2003.
First American did not disclose its cybersecurity vulnerability until May 24th, 2019, when a cybersecurity journalist notified them. After receiving the notification, First American issued a press release on May 24th and furnished a Form 8-K to the SEC on May 28th. First American’s senior executive responsible for disclosure was unaware that their own information security personnel had identified this vulnerability in a report as early as January 2019. First American failed to recognize the severity of the situation because it was mistakenly categorized as a “Level 2” vulnerability instead of “Level 3”. A “Level 3” vulnerability requires remediation within 45 days, while “Level 2” within 90 days.
The senior executive responsible for disclosure should have known about the cybersecurity vulnerability resulting in the leak of sensitive data before May 28th. This management failure violates Section 13(a)-15 of the Exchange Act, which requires public companies registered with the SEC to “maintain disclosure controls and procedures designed to ensure that information required to be disclosed is recorded, processed, summarized, and reported.”
Kristina Littman from the SEC Enforcement Division’s Cyber Unit says, “[a]s a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it. Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”
Wilson Bradshaw LLP is a boutique securities law firm in Irvine, California, and New York City. We offer the advantage of a highly focused, experienced legal team that understands business realities. We also provide legal consultation regarding the SEC’s regulations. Our practice is dedicated to helping businesses prosper by providing cost-effective services without compromising quality. Please visit our website or contact us through email for anything you need.