$1.2M Settlement Reached With Morris Plains Real Estate Company

MORRIS PLAINS, NJ — A real estate company, headquartered in Morris Plains, agreed to a settlement over allegations that inadequate cybersecurity safeguards allowed unauthorized access to its network, Acting Attorney General Matthew J. Platkin announced.

Weichert Co. and its affiliates agreed to pay $1.2 million and implement new security policies to resolve allegations that they violated the New Jersey Consumer Fraud Act, the Identity Theft Protection Act, and the Gramm-Leach-Bliley Act in their handling of sensitive client information.

According to Platkin, a lack of appropriate safeguards led to three separate data breaches that compromised the personal information of at least 10,926 customers and employees, including nearly 7,000 New Jersey residents.

According to the Consent Order, Weichert's allegedly insufficient safeguards allowed multiple instances of unauthorized network access between July 2016 and July 2018, exposing personal information such as social security numbers, credit card information, passport numbers, financial accounts and driver's license numbers.

“Taking appropriate measures to safeguard clients’ personal information is not just part of a good business model, it is the law,” Platkin said. “This settlement should send a clear message to companies that skimp on data security as a cost-saving measure.”

Prosecutors said Weichert agreed to the settlement consisting of $1,074,350.00 in civil penalties and $125,650.00 for investigative costs and attorneys’ fees to resolve allegations that included:

• Failing to develop, implement, and maintain a comprehensive information security program that contained appropriate administrative, technical, and physical safeguards to protect the personal information of customers.
• Failing to identify reasonably foreseeable internal and external risks to security, confidentiality, and integrity of customer information.
• Failing to design and implement information safeguards to control the risks identified through risk assessment.
• Failing to evaluate and adjust the information security program in light of the results of the testing and monitoring.
• Failing to notify customers, New Jersey State Police, and consumer reporting agencies of the three data breaches without unreasonable delay.

Under the terms of the Consent Order with the Division, Weichert, among other things, agreed to:

• Maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats.
• Retaining an independent third party to assess the information security program and prepare an annual report of findings to confirm compliance with the provisions of this Consent Order
• Maintaining an appointed qualified individual as Chief Information Security Officer (CISO)
• Encrypting all sensitive customer information held or transmitted by the company
• Implementing and maintaining multi-factor authentication for any individual accessing any information system connected to the network
• Maintaining a risk assessment program to identify, address, and as appropriate, remediate risks affecting the network.

“Companies that handle sensitive consumer data must have appropriate protocols to prevent data breaches,” said Cari Fais, Acting Director of the Division of Consumer Affairs. “We will continue to pursue organizations that fail to take necessary precautions to protect consumers’ privacy.”