On July 22, 2020, the New York Department of Financial Services (“DFS”) announced an enforcement action seeking monetary penalties and injunctive relief against a title insurer for allegedly failing to address a known vulnerability that exposed, for years, tens of millions of documents containing consumers’ personal information. This is DFS’s first enforcement action under cybersecurity regulations that it adopted in 2017. In announcing it, DFS has taken the position that each instance of exposure of non-public information is a separate infraction under the regulations, each of which carry a penalty of up to $1,000 per violation, indicating that DFS may seek to impose very significant financial penalties in large data breach cases.