This class action is one of several against First American Financial Corporation (FAFC) for a possible data exposure in its systems. Shockingly, the exposure was not caused by hackers or identity thieves; it was the company’s own poor data protection that made available some 885 million documents to anyone with access to a single file.
The National Data Breach Class for this action is all persons living in the US who bought title insurance or other products or services from FAFC and whose personal information was exposed through FAFC’s website. Alternatively, Statewide State Classes have been proposed, consisting of all residents of [the specific state] whose personal information was maintained on FAFC’s database and compromised by the breach announced by FAFC on May 2, 2019.
FAFC is a very large US title insurance companies, with $5.7 billion in revenue for 2018. In addition to title insurance, it offers closing services, home warranty products, property and casualty insurance, and other products and services.
When customers buy FAFC’s products or use its services, they must provide personal information. In particular, in connection with closings and other real estate dealings, customers provide documents that show their Social Security numbers, bank account information, and other personal data.
FAFC claimed, “We Are Committed to Safeguarding Customer Information” in its privacy information on its website. “We will use our best efforts to ensure that no unauthorized parties have access to any of your information,” it said. “We restrict access to nonpublic personal information about you to those individuals and entities who need to know…”
Yet despite the size of the company and the sensitive nature of the information it retains, FAFC failed to protect customers data. The news emerged on May 21, 2019: some 885 documents dating back sixteen years had been exposed and available, without the need of a password or any other type of authentication.
How did this happen? FAFC’s systems had a design defect. People were able to access files for transactions in which they had a part, but by changing a single digit in their own file’s address, they were able to access other people’s files as well. A real estate developer discovered the problem, but FAFC was allegedly “nonresponsive” when he told them about it.
Among other things, the complaint alleges that FAFC should be classified as a financial institution under the Graham-Leach-Bliley Act and should therefore have met more stringent standards for privacy and security.