Weichert Realtors and Affiliates Will Pay $1.2 Million and Revamp Data Security Measures
NEWARK – Acting Attorney General Matthew J. Platkin and the Division of Consumer Affairs today announced a settlement with a group of affiliated real estate and financial companies over allegations that inadequate cybersecurity safeguards allowed unauthorized access to its network. The lack of appropriate safeguards allegedly resulted in three separate data breaches that compromised the personal information of at least 10,926 consumers and employees, including close to 7,000 New Jersey residents.
Weichert Co. and its affiliates (Weichert), headquartered in Morris Plains, NJ, have agreed to pay $1.2 million and implement new security policies to resolve allegations that they violated the New Jersey Consumer Fraud Act (CFA), the Identity Theft Protection Act (ITPA), and the Gramm-Leach-Bliley Act (GLBA) in their handling of sensitive client information.
According to the Consent Order filed today, Weichert’s lack of adequate safeguards allegedly permitted multiple instances of unauthorized access to its network during periods between July 2016 and July 2018, exposing personal information such as social security numbers, credit card information, passport numbers, financial accounts, and driver’s license numbers.
“Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law,” said Acting Attorney General Platkin. “This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”
“Companies that handle sensitive consumer data must have appropriate protocols to prevent data breaches,” said Cari Fais, Acting Director of the Division of Consumer Affairs. “We will continue to pursue organizations that fail to take necessary precautions to protect consumers’ privacy.”
Under both state and federal law, certain real estate and financial institutions, such as Weichert, that offer financial products or services and handle sensitive client information, are required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the sensitive data.
Based on its investigation, the Division alleges that among other things, Weichert misrepresented security practices to consumers, lacked antivirus software to protect its network, and failed to implement multi-factor authentication that would have prevented unauthorized access. Specifically, the company allegedly violated the CFA, ITPA, and GLBA by:
- failing to develop, implement, and maintain a comprehensive information security program that contained appropriate administrative, technical, and physical safeguards to protect the personal information of customers;
- failing to identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information;
- failing to design and implement information safeguards to control the risks identified through risk assessment;
- failing to evaluate and adjust the information security program in light of the results of the testing and monitoring; and
- failing to notify customers, New Jersey State Police, and consumer reporting agencies of the three data breaches without unreasonable delay.
Although Weichert disputes the Division’s allegations, the company has agreed to comply with the CFA, ITPA, and GLBA under the terms of the Consent Order. In addition to the monetary payment, today’s settlement requires Weichert to implement extensive measures designed to strengthen its data security program. The security measures required under the settlement announced today include:
- maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
- retaining an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order;
- maintaining an appointed qualified individual as Chief Information Security Officer (CISO);
- encrypting all sensitive customer information held or transmitted by the company;
- implementing and maintaining multi-factor authentication for any individual accessing any information system connected to the network; and
- maintaining a risk assessment program to identify, address, and as appropriate, remediate risks affecting the network.
The settlement consists of $1,074,350.00 in civil penalties and $125,650.00 for investigative costs and attorneys’ fees.
Today’s settlement is the fourth settlement reached by the Division in recent months as part of the Office of the Attorney General’s commitment to hold companies accountable for CFA violations in connection with data breaches that compromise clients’ sensitive data.
In December 2021, three New Jersey-based providers of cancer care entered a settlement that included a $425,000 payment and adopting additional privacy and security measures to safeguard individuals’ protected health information and personal information. In October 2021, the Office of the Attorney General announced a settlement agreement that required a fertility clinic to implement additional data security measures and pay the state $495,000. In November 2021, a $130,000 settlement was reached with two printing companies that worked with a leading New Jersey-based managed healthcare organization which also required the implementation of new security policies.
Section Chief Kashif Chand and Deputy Attorney General Cody I. Valdez of the Data Privacy & Cybersecurity Section within the Division of Law’s Affirmative Civil Enforcement Practice Group represent the State in the matter. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation.
The mission of the Division of Consumer Affairs, within the Department of Law and Public Safety, is to protect the public from fraud, deceit, misrepresentation, and professional misconduct in the sale of goods and services in New Jersey through education, advocacy, regulation and enforcement. The Division pursues its mission through its 51 professional and occupational boards that oversee 720,000 licensees in the state, its Regulated Business section that oversees 60,000 NJ registered businesses, as well as through its Office of Consumer Protection, Bureau of Securities, Charities Registration section, Office of Weights and Measures, and Legalized Games of Chance section.