In the inaugural enforcement action under its new cybersecurity regulations, the New York Department of Financial Services announced charges against First American Title Insurance Company in July 2020. Companies governed by the regulations and their counsel have anxiously awaited this case of first impression, and the merits of the enforcement action have been extensively covered by legal commentators. Thousands of security incidents have been reported to DFS since the cybersecurity regulations were enacted four years ago, and DFS Superintendent Linda Lacewell remarked last year that the first enforcement action under the new rules “will come—be ready.” Address at New York City Bar Association (Feb. 11, 2020).

This column focuses on a less-heralded but equally important aspect of the enforcement action: how the administrative trial of the First American charges will be conducted. The hearing is scheduled for March 22, 2021 after several postponements. First American has vowed to fight the DFS charges and is simultaneously defending a derivative suit against the company and its officers and directors that tracks DFS’s allegations. There are a number of unique features of DFS’s administrative hearings that should be top of mind. These features include the identity of the DFS hearing officer, relaxed rules of evidence, a “substantial evidence” burden of proof that is less than the usual preponderance level, the nature of the appeals process, and a fact-finding forum receptive to an expansive view of appropriate penalties.

Cybersecurity Regulations and the First American Charges