Back in May 2019, we covered the news about ‘First American Financial Corporation’ leaking 885 million documents containing the sensitive information of U.S. citizens, including tax records, mortgage records, social security numbers, bank account details, transaction data, statements, and scans of driver’s licenses. Such was the importance of the data leak incident that the authorities in the country had to look into it, and this week, the U.S. Securities and Exchange Commission has concluded its investigation into the matter. The result is the imposition of a penalty of $500,000.
To put this into perspective, First American has annual earnings of around $7 billion, so the fine is pretty much laughable. It certainly isn’t a fine that would force the large company to reevaluate its data collection, management, and protection practices. This is the second-largest mortgage title and settlement company in the United States, and this penalty is so small that it won’t even register on its financial status.
As Brian Krebs comments on this news coverage, First American’s main role is to check the validity and legal compliance of the real estate transactions that happen. As for the only competency that the firm is expected to have concerning this role, that would be to protect the privacy and security of the sensitive documents it uses for this process. If these documents are stored in unprotected servers and left to be exfiltrated by any random individual, slapping the company on the wrist won’t help in anything other than pretending that regulatory and inspection authorities have a real role.
However, that doesn’t mean that First American can cross out the incident and leave everything behind. There’s still some regulatory inquiry going on in New York, where the Department of Financial Services announced an investigation following the revelations of the massive data breach. This action is still ongoing, but it could result in a more substantial penalty, reaching up to $1,000 per violation.
From its point, First American still downplays the significance of the data leak, claiming that it only affected a small number of individuals, and most of the data exposed were already publicly available information and generally denied providing details about the duration of the exposure. According to the Securities and Exchange Commission investigation results, this may have been between 2013 and 2019, reaching up to six years of continuous exposure.