OAG: $1.2M cybersecurity settlement reached with real estate company
Acting Attorney General Matthew Platkin and the Division of Consumer Affairs announced a $ 1.2 million deal with Morris Plains-based Weichert Co. and its affiliates on May 18 on allegations that the company’s inadequate cybersecurity safeguards allowed unauthorized access to its network.
Three alleged data breaches were allegedly the result of a lack of cybersecurity safeguards, compromising the personal information of at least 10,926 consumers and employees, including nearly 7,000 New Jersey residents.
Weichert has agreed to pay $ 1.2 million and implement new security policies to resolve allegations of violations of the New Jersey Consumer Fraud Act, the Identity Theft Protection Act and the Gramm-Leach-Bliley Act , the OAG announced on Wednesday.
The consent order alleges that Weichert’s lack of safeguards allowed unauthorized access to his network on several occasions during periods between July 2016 and July 2018, exposing personal information, including social security numbers, credit card information, passport numbers, financial accounts, and driver’s license numbers.
“Taking the right steps to safeguard customers’ personal information is not only part of a good business model, it’s the law, ”Platkin said. “This agreement should send a clear message to companies that skimp on data security as a cost-saving measure.”
“Companies that manage sensitive consumer data need to have the right protocols in place to prevent data breaches,” said Cari Fais, Acting Director of the Consumer Affairs Division. “We will continue to prosecute organizations that do not take the necessary precautions to protect the privacy of consumers.”
Protect yourself from cyber threats
State and federal laws require that real estate and financial institutions, such as Weichert, implement administrative, physical, and technical safeguards that protect sensitive data in a reasonable and appropriate manner.
The division alleges that Weichert distorted consumer security practices, had no antivirus software to protect its network, and failed to implement multifactor authentication that would have prevented unauthorized access.
Weichert disputes the Division’s allegations, but has agreed to comply with the CFA, ITPA and GLBA in accordance with the terms of the Consent Order. The agreement also requires Weichert to implement comprehensive measures designed to strengthen its data security program, which include:
- maintain a comprehensive information security program that includes periodic updates to keep pace with changes in technology and security threats;
- hire an independent third party to evaluate the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order; i
- maintain a qualified person designated as responsible for information security.
Weichert must also encrypt all sensitive customer information; implement and maintain multifactor authentication for any individual accessing any networked information system; and maintain a risk assessment program to identify, address, and, where appropriate, correct the risks affecting the network.
The agreement consists of $ 1,074,350 in civil penalties and $ 125,650 in investigation costs and attorneys’ fees, the OAG announced.
The head of the section, Kashif Chand, and the deputy attorney general, Cody Valdez, of the section on data privacy and cybersecurity, within the affirmative action group of civil application of the Law Division, represent the State in the question. Researcher Aziza Salikhova of the Office of Consumer Protection of the Division of Consumer Affairs conducted the investigation.