NYDFS Settles with Mortgage Company for Data Breach
Time 2 Minute Read
Categories: Cybersecurity, Enforcement, Financial Privacy, U.S. State Law

On March 3, 2020, the New York Department of Financial Services (“NYDFS”) announced it had entered into a settlement with Residential Mortgage Services, Inc. (“RMS”) related to allegations that RMS violated the NYDFS Cybersecurity Regulation in connection with a 2019 data breach.

According to NYDFS, RMS, a licensed mortgage banker, experienced a data breach involving unauthorized access to an employee’s email account. The relevant email account allegedly had “a significant amount of sensitive personal data of mortgage loan applicants” that was exposed as a result of the compromise. NYDFS further alleged that RMS did not conduct an investigation or identify the compromised consumer data until directed to do so by NYDFS in 2020. NYDFS then conducted an examination, which concluded that RMS violated the Cybersecurity Regulation by failing to timely report the data breach. NYDFS also found that RMS “failed to have a comprehensive Cybersecurity Risk Assessment, another requirement of the Cybersecurity Regulation.”

As part of the settlement, RMS agreed to pay a $1.5 million penalty and undertake improvements to its existing cybersecurity program to bring the relevant controls into compliance with the Cybersecurity Regulation. According to the NYDFS press release, NYDFS “notes that RMS cooperated throughout the examination and investigation, and has appeared committed to expediting remediation of its cybersecurity controls.”

Read the full NYDFS settlement.

Tags: Consumer Protection, Cyber Attack, Email, New York, Penalty, Personal Data, United States
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 5 Minute Read
How Insurance Fundamentals Drove a Coverage Win for Uber
By and

A recent summary judgment order is a reminder that, in insurance coverage disputes, straightforward arguments can still win the day. In a coverage action arising from dozens of underlying personal injury suits, the court adopted a clear, text-based approach to the duty to defend—and ordered the insurer to provide a defense.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
The Rise of Luxury Gyms: Opportunities and Risks for Landlords
By and

The post-COVID real estate market has seen a surge in luxury gyms and fitness spaces.  Members are willing to shell out several hundred dollars a month for memberships at popular high-end fitness chains. These modern luxury gyms offer more than just workout spaces.  Many offer holistic lifestyle services such as spas, hair salons, social amenities, co-working spaces, and daycare. These luxury gyms are gaining larger footprints and emerging as a unique retail asset.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page