State Notifications Deemed to Trigger DFS Reporting of Non-material Breaches
Two successive Consent Orders have demonstrated the seriousness of non-compliance with New York’s Department of Financial Services financial regulations. While not surprising given the relatively egregious facts of the two cases, DFS’s unprecedented interpretation of the ‘other’ reporting prong of DFS Part 500.17(a) – any notice to another regulatory authority even if the incident is not material – creates a potential hidden standard for the timing of reporting such incidents.
In March 2021, the New York State Department of Financial Services (“DFS”) entered into a consent order with Residential Mortgage Services (“Residential”), a mortgage loan service company based in Maine, which required Residential to pay a $1.5 million penalty for violating DFS’s cybersecurity regulation, as well as undertake certain remedial measures.