Skip to main content

Fairway Independent Mortgage Corporation Stipulation and Consent Order

Order
Docket No. 21-037-B
Attachment Size
Printer friendly version of Docket No. 21-037-B (298.03 KB) 298.03 KB

STATE OF VERMONT
DEPARTMENT OF FINANCIAL REGULATION

 

                                                                              )

IN RE:                                                                   )                                                    

FAIRWAY INDEPENDENT                               )     DOCKET NO. 21-037-B             

MORTGAGE CORPORATION                           )

NMLS # 2289                                                       )

                                                                              )                                                         

STIPULATION AND CONSENT ORDER

            WHEREAS, the Vermont Department of Financial Regulation (“the Department”) asserts that Fairway Independent Mortgage Corporation (“Respondent”) has violated the Security Breach Notice Act, 9 V.S.A. § 2435, as set forth below; and

            WHEREAS, Respondent and the Department wish to resolve these violations without further administrative proceedings or litigation;

            NOW, THEREFORE, Respondent and the Department stipulate and agree to the terms and conditions in this Stipulation and Consent Order.

STATEMENT OF FACTS

Respondent is a foreign mortgage company with its principal place of business at 4750 South Biltmore Lane, Madison, WI 53718.
Respondent’s NMLS number is 2289.
At all times relevant to this matter, Respondent held licenses issued by the Banking Division of the Department, pursuant to 8 V.S.A. § 2201, authorizing Respondent to operate as a lender and mortgage broker in the State of Vermont. 
From early August 2020 through mid-January 2021, Respondent experienced a phishing attack that sought to obtain sensitive information by way of accessing Respondent’s corporate email accounts. 
On September 18, 2020, Respondent determined that at least one Vermonter may have been impacted by the phishing attack (the “Data Breach”). 
The personal information that may have been acquired from the Data Breach included: individuals’ first names, last names, social security numbers, dates of birth, current addresses, bank account information and credit card accounts. 
Respondent initially believed that 24 Vermont consumers were impacted by the Data Breach. 
Respondent began notifying affected consumers of the Data Breach on March 30, 2021.
Respondent completed notifying the 24 affected Vermont consumers of the Data Breach on April 28, 2021, over seven months after the discovery of the Data Breach.     
Respondent notified the Department of the Data Breach on April 12, 2021, almost seven months after the discovery of the Data Breach.
Following Respondent’s notice to the Department of the Data Breach, the Department requested additional information from Respondent regarding the Data Breach. 
In response to a written inquiry from the Department, Respondent discovered on July 6, 2021 that an additional 9 Vermont consumers were impacted by the Data Breach.
 Respondent completed notifying the additional 9 Vermont consumers of the Data Breach on July 20, 2021.
Respondent has cooperated with and been responsive to the Department’s requests for information and records, has acknowledged that it engaged in statutory violations, and has implemented internal corrective actions to prevent future violations of the Security Breach Notice Act, 9 V.S.A. § 2435. 

 

 

DESCRIPTION OF VIOLATIONS

The Commissioner of Financial Regulation is responsible for administering and enforcing the lending laws of the State of Vermont, is authorized to investigate licensees to determine compliance with Vermont law, and is authorized to issue orders imposing remedial actions and civil administrative penalties, pursuant to 8 V.S.A. §§ 11-12, 15, and 2115.
Pursuant to 9 V.S.A. § 2435, for any entity regulated by the Department, the Commissioner has the full authority to investigate potential violations of the Security Breach Notice Act, including the power to prosecute and impose remedies for any such violations to the same extent as under Title 8 or any other applicable law or regulation.
Pursuant to 8 V.S.A. § 2115, the Commissioner may impose a civil administrative penalty for each violation of Title 8, an administrative rule of the Department, or an order of the Commissioner relating to lending, of up to $10,000 per violation, plus the State’s costs and expenses of investigating and prosecuting the matter, including attorneys’ fees. 
Pursuant to 9 V.S.A. § 2435(b)(3), any entity regulated by the Department shall notify the Department of any security breach within 14 business days of the date the entity discovers the breach or the date the entity provides notice to consumers, whichever is earlier.
Pursuant to 9 V.S.A. § 2435(b)(3), because Respondent discovered the Data Breach on September 18, 2020, Respondent should have notified the Department of the Data Breach no later than October 8, 2020.   
Respondent violated 9 V.S.A. § 2435(b)(3) by failing to notify the Department of the Data Breach by October 8, 2020.       
When Respondent notified the Department of the Data Breach on April 12, 2021, Respondent’s notification was 186 days after the deadline imposed by 9 V.S.A. § 2435(b)(3). 
Pursuant to 9 V.S.A. § 2435(b)(1), any data collector shall notify consumers of any security breach in the most expedient time possible and without unreasonable delay, but not later than 45 calendar days after the discovery of the security breach.   
Pursuant to 9 V.S.A. § 2435(b)(1), because Respondent discovered the Data Breach on September 18, 2020, Respondent should have notified any affected Vermont consumers of the Data Breach no later than November 2, 2020.   
Respondent violated 9 V.S.A. § 2435(b)(1) by failing to notify the 33 Vermont consumers of the Data Breach by November 2, 2020.     
When Respondent completed notifying: (a) the original 24 Vermont consumers of the Data Breach on April 28, 2021, Respondent’s notification was 177 days after the deadline imposed by 9 V.S.A. § 2435(b)(1); and (b) the additional 9 Vermont consumers of the Data Breach on July 20, 2021, Respondent’s notification was 260 days after the deadline imposed by 9 V.S.A. § 2435(b)(1). 

CONSENT ORDER

Within 30 calendar days of the entry of this Stipulation and Consent Order by the Commissioner, Respondent shall pay an administrative penalty of $54,450.00.  Payment shall be made via wire or check made payable to the “Department of Financial Regulation” and mailed to:

Attn: Beth Sides

Department of Financial Regulation

Insurance Division

89 Main Street

Montpelier, VT 05620-3101

 

Respondent shall also implement the following corrective actions:

As required by 9 V.S.A. § 2435(b)(3), Respondent shall employ internal procedures to provide the Department with notification of any security breach no later than 14 business days after Respondent discovers the breach.
As required by 9 V.S.A. § 2435(b)(1), Respondent shall employ internal procedures to provide any affected Vermont consumers with notification of any security breach no later than 45 calendar days after Respondent discovers the breach.
Respondent has and shall take internal corrective actions to prevent future violations of 9 V.S.A. §§ 2435(b)(1), (3), including: retaining outside counsel to ensure timely notifications are provided in conformance with Vermont law and retaining an outside vendor to handle notice mailings required for any future security breaches. 
Respondent has and shall maintain a comprehensive information security program (the “Information Security Program”), that is written in one or more readily accessible parts, and contains the administrative, technical, and physical safeguards that Respondent uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.  The Information Security Program shall be appropriate to Respondent’s size and complexity, the nature and scope of Respondent’s activities, and the sensitivity of the customer information at issue. 
Respondent shall provide the Department a certification, on or before December 31, 2021, that it has implemented the Information Security Program referenced in Paragraph 27(d).
Respondent voluntarily agrees to have an outside third-party vendor conduct an assessment of its information security practices and procedures.  Respondent shall provide the Department a certification that it has completed the assessment, within thirty (30) days of receiving the assessment from the third-party vendor.

Respondent acknowledges and admits the jurisdiction of the Commissioner over the subject matter of this Stipulation and Consent Order.
With respect to the facts and violations identified herein, Respondent waives its right to a hearing before the Commissioner or the Commissioner’s designee and waives its right to all other administrative or judicial review otherwise available under Vermont law, including the rules of the Vermont Department of Financial Regulation and the provisions of 3 V.S.A., Chapter 25.
This Stipulation and Consent Order is entered into solely for the purpose of resolving the violations identified herein, and it is not intended for any other purpose.
Respondent understands all terms and conditions in this Stipulation and Consent Order, consents to the entry of this Stipulation and Consent Order, and acknowledges that its consent is given freely and voluntarily and that, except as set forth herein, no promise was made to induce Respondent’s consent.
Noncompliance with any of the terms and conditions in this Stipulation and Consent Order shall be a violation of a lawful order of the Commissioner and a violation of the laws of the State of Vermont and may result in additional administrative action and the imposition of injunctive relief, sanctions, and additional penalties pursuant to applicable provisions of Title 8, including provisions imposing enhanced penalties for willful violations.
Nothing herein shall be construed as limiting the Commissioner’s ability to investigate Respondent for violations not resolved herein or to respond to and address any consumer complaints made with regard to Respondent.
Nothing herein shall be construed as having relieved, modified, or in any manner affected Respondent’s ongoing obligation to comply with all federal, state, or local statutes, rules, and regulations applicable to Respondent.
Nothing herein shall be construed as limiting any private right of action a person may have.
This Stipulation and Consent Order shall be governed by and construed under the laws of the State of Vermont.

 

 

SIGNATURES

 

The terms and conditions set forth in this Stipulation and Consent Order are hereby stipulated and agreed to.  I certify under the pains and penalties of perjury that I have taken all necessary steps to obtain the authority to bind Respondent to this Stipulation and Consent Order and that I have been duly authorized to enter into this Stipulation and Consent Order on behalf of Respondent.

Fairway Independent Mortgage Corporation

 

 

 

By: _________________________________                                        Date:  October ___, 2021

      Len Krupinski

      Chief Operating Officer                                                                 

           

 

 

 

 

 

The terms and conditions set forth in this Stipulation and Consent Order are hereby stipulated, agreed to, and ordered.

 

DEPARTMENT OF FINANCIAL REGULATION

 

 

By: _________________________________                                   Date:  October ___, 2021

      Michael S. Pieciak                                               

      Commissioner of Financial Regulation

      Vermont Department of Financial Regulation