SEC Fines First American Financial $487K For 'Deficient Disclosure Controls' Over Data Breach

First American Financial Corporation FAF has agreed to a $487,616 settlement with the U.S. Securities and Exchange Commission that resolves charges related to a data breach that exposed confidential customer information.

What Happened: The SEC alleged that First American Financial received notification in May 2019 from a cybersecurity journalist about a vulnerability with its application for sharing document images.

The company was informed that this vulnerability resulted in the exposure of more than 800 million images going back to 2003, including the Social Security numbers and financial information of its customers.

First American Financial, a real estate settlement services company, issued a press statement related to the data breach and filed a Form 8-K with the SEC.

The regulator charged the company with not informing its senior executives responsible for those public statements that the company’s information security personnel identified the same vulnerability several months earlier but failed to remediate the problem.

As a result, the SEC stated First American Financial failed to maintain disclosure controls and procedures designed to ensure that the information regarding the vulnerability was analyzed for disclosure in its reports filed with the regulator, a violation Rule 13a-15(a) of the Exchange Act.

See Also: Stock Market Live: Wall Street Global Trading Academy

How It Was Resolved: With the settlement, First American Financial agreed to a cease-and-desist order and to pay the agreed-upon penalty. The Santa Ana, California-based company was not required to either admit or deny the SEC’s findings, nor did it issue any public statement on the settlement.

Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, faulted First American’s “deficient disclosure controls” and used the case as a warning to other financial services companies.

“Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures,” she said.

(Illustration by Methodshop/Pixabay)

Posted In: Cybersecuritydata breachNewsLegalSEC

Ad Disclosure: The rate information is obtained by Bankrate from the listed institutions. Bankrate cannot guaranty the accuracy or availability of any rates shown above. Institutions may have different rates on their own websites than those posted on The listings that appear on this page are from companies from which this website receives compensation, which may impact how, where, and in what order products appear. This table does not include all companies or all available products.

All rates are subject to change without notice and may vary depending on location. These quotes are from banks, thrifts, and credit unions, some of whom have paid for a link to their own Web site where you can find additional information. Those with a paid link are our Advertisers. Those without a paid link are listings we obtain to improve the consumer shopping experience and are not Advertisers. To receive the rate from an Advertiser, please identify yourself as a Bankrate customer. Bank and thrift deposits are insured by the Federal Deposit Insurance Corp. Credit union deposits are insured by the National Credit Union Administration.

Consumer Satisfaction: Bankrate attempts to verify the accuracy and availability of its Advertisers' terms through its quality assurance process and requires Advertisers to agree to our Terms and Conditions and to adhere to our Quality Control Program. If you believe that you have received an inaccurate quote or are otherwise not satisfied with the services provided to you by the institution you choose, please click here.

Rate collection and criteria: Click here for more information on rate collection and criteria.