Should companies delete the private information of customers after a certain period? The complaint for this class action says that First American Financial Corporation (FAFC) “expressly promises it will maintain appropriate facilities and systems to protect against unauthorized access to” its customers’ information. Still, it suffered a breach that exposed “approximately 885 million records” relating to sixteen years of mortgage transactions.
Two kinds of classes have been proposed.
The complaint alleges, “In one of the most reckless data breaches/exposures in modern history, the FAFC website allowed anyone with a computer to access approximately 885 million records without asking for any authentication. The only action required to exploit the vulnerability in FAFC’s website was tweaking a single digit in the address of a file. No password or other credentials were required…”
FAFC is one of the largest title insurance companies in the country, offering title insurance, closing/settlement services, property data, insurance, trust and wealth management services, and other related products and services. The records that it held included bank account numbers and statements, mortgage records, tax records, Social Security numbers, and drivers’ license images, among other things.
On May 24, 2019, FAFC revealed the data breach, saying that “a design defect in an application  made possible unauthorized access to customer data.” In other words, as the complaint puts it, the information “was available for download without hacking into the FAFC databases and without having to provide any authentication.”
According to the complaint, it was not FAFC’s security policies or actions that discovered the breach but a real estate developer. The complaint says that “FAFC was reportedly nonresponsive when  it was first put on notice…”
The complaint alleges that the company violated the Gramm-Leach-Bliley Act, arguing that it meets the definition of a financial institution under the Act; it also claims it did not follow industry standard protocols for safeguarding data.