OAG: $1.2M cybersecurity settlement reached with real estate company

Listen to this article

Acting Attorney General Matthew Platkin and the Division of Consumer Affairs announced a $1.2 million settlement with Morris Plains-based Weichert Co. and its affiliates on May 18 over allegations that the company’s inadequate cybersecurity safeguards allowed unauthorized access to its network.

Three separate data breaches allegedly resulted from the lack of cybersecurity safeguards, compromising the personal information of at least 10,926 consumers and employees, including close to 7,000 New Jerseyans.

Weichert has agreed to pay $1.2 million and implement new security policies to resolve allegations that it violated the New Jersey Consumer Fraud Act, the Identity Theft Protection Act, and the Gramm-Leach-Bliley Act, the OAG announced Wednesday.

The consent order alleges that Weichert’s lack of safeguards allowed unauthorized access on multiple occasions to its network during periods between July 2016 and July 2018, exposing personal information including social security numbers, credit card information, passport numbers, financial accounts, and driver’s license numbers.

“Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law,” said Platkin. “This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”

“Companies that handle sensitive consumer data must have appropriate protocols to prevent data breaches,” said Cari Fais, acting director of the Division of Consumer Affairs. “We will continue to pursue organizations that fail to take necessary precautions to protect consumers’ privacy.”

State and federal law require real estate and financial institutions, such as Weichert, to implement administrative, physical and technical safeguards that reasonably and appropriately protect the sensitive data.

The Division alleges that Weichert misrepresented security practices to consumers, lacked antivirus software to protect its network, and failed to implement multifactor authentication that would have prevented unauthorized access.

Weichert disputes the Division’s allegations but has agreed to comply with the CFA, ITPA and GLBA under the terms of the Consent Order. The settlement also requires Weichert to implement extensive measures designed to strengthen its data security program, including:

• maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
• retaining an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order; and
• maintaining an appointed qualified individual as chief information security officer.

Weichert must also encrypt all sensitive customer information; implement and maintain multifactor authentication for any individual accessing any information system connected to the network; and maintain a risk assessment program to identify, address, and as appropriate, remediate risks affecting the network.

The settlement consists of $1,074,350 in civil penalties and $125,650 for investigative costs and attorneys’ fees, the OAG announced.

Section Chief Kashif Chand and Deputy Attorney General Cody Valdez of the Data Privacy & Cybersecurity Section within the Division of Law’s Affirmative Civil Enforcement Practice Group represent the State in the matter. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.