BVG: $1.2 million cybersecurity agreement signed with a real estate company

Acting Attorney General Matthew Platkin and the Consumer Affairs Division on May 18 announced a $1.2 million settlement with Morris Plains-based Weichert Co. and its affiliates over allegations that the protections The company’s inadequate cybersecurity would have allowed unauthorized access to its network.

Three separate data breaches are said to have resulted from the lack of cybersecurity safeguards, compromising the personal information of at least 10,926 consumers and employees, including nearly 7,000 New Jersey residents.

Weichert agreed to pay $1.2 million and implement new security policies to resolve allegations that it violated New Jersey’s Consumer Fraud Act, Theft Protection Act identification and the Gramm-Leach-Bliley Act, the BVG announced on Wednesday.

The consent order alleges that Weichert’s lack of safeguards allowed repeated unauthorized access to its network between July 2016 and July 2018, exposing personal information, including social security numbers, credit card information , passport numbers, financial accounts and driver’s license numbers.

“Taking appropriate steps to protect customer personal information is not only part of a good business model, it’s the law,” Platkin said. “This regulation should send a clear message to companies that skimp on data security as a cost-saving measure.”

“Companies that process sensitive consumer data must have appropriate protocols in place to prevent data breaches,” said Cari Fais, acting director of the Consumer Affairs Division. “We will continue to sue organizations that fail to take the necessary precautions to protect consumer privacy.”

State and federal laws require real estate and financial institutions, such as Weichert, to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive data.

The Division alleges that Weichert misrepresented security practices to consumers, lacked antivirus software to protect its network, and failed to implement multi-factor authentication that would have prevented unauthorized access. authorized.

Weichert disputes the Division’s allegations but has agreed to comply with the CFA, ITPA and GLBA under the consent order. The settlement also requires Weichert to implement extensive measures designed to strengthen its data security program, including:

• maintain a comprehensive information security program that includes regular updates to keep up with changing technology and security threats;
• retain the services of an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this order; and
• maintaining a qualified person appointed as the Information Security Officer.

Weichert must also encrypt all sensitive customer information; implement and maintain multi-factor authentication for any individual accessing any information system connected to the network; and maintain a risk assessment program to identify, address and, if necessary, remediate risks affecting the network.

The settlement includes $1,074,350 in civil penalties and $125,650 for investigation costs and attorneys’ fees, the OAG said.

Section Chief Kashif Chand and Assistant Attorney General Cody Valdez of the Data Privacy and Cybersecurity Section within the Law Division’s Affirmative Civil Enforcement Practice Group are representing the state in this case. Investigator Aziza Salikhova from the Office of Consumer Protection within the Consumer Affairs Division conducted the investigation.