The Maryland Department of Labor’s Office of Financial Regulation, along with regulators from 52 other states and territories, has reached a $20 million settlement with Bayview Asset Management, LLC, and its affiliates—Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings—following a 2021 data breach. The breach exposed the personal information of 5.8 million consumers nationwide, including 124,000 Maryland residents. As part of the settlement, the companies will pay $564,000 in penalties and fees to Maryland.
The settlement represents the first collective enforcement action taken by state regulators against a mortgage company for a data breach. Regulators believe this agreement sets a benchmark for future actions against companies failing to protect consumer data or meet cybersecurity standards. Governor Wes Moore’s administration emphasized the importance of this effort, calling it a critical step toward safeguarding sensitive personal information.
“In today’s digital economy, safeguarding sensitive consumer data is critically important,” said Secretary of Labor Portia Wu. “The Office of Financial Regulation’s leadership in this multistate effort demonstrates the power of collaborative enforcement to protect all of us from cyber threats. Marylanders deserve to know that their data is protected and that the companies entrusted with their sensitive information are held to the highest standards.”
The multistate investigation, led by Maryland, California, North Carolina, and Washington State, revealed that Bayview and its affiliates failed to meet both state and federal cybersecurity requirements. The companies’ inadequate information technology practices left consumer data vulnerable, and they initially failed to notify Maryland regulators of the breach as required by law. This delayed response contributed to the severity of the case.
Bayview and its affiliates have agreed to take several corrective actions to prevent future breaches. These include enhancing cybersecurity protocols, conducting independent assessments of their information technology systems, and reporting regularly to regulators for the next three years. Regulators hope these measures will set an example for other companies in the financial services sector, encouraging them to prioritize robust cybersecurity practices.
“This settlement demonstrates how our Office and our fellow state regulators work to ensure that companies protect consumers’ personal information,” said Commissioner of Financial Regulation Tony Salazar. “State-licensed financial service providers must comply with regulators’ requirements, and we will take action if we believe they are failing to do so.”
Maryland’s Office of Financial Regulation plays a critical role in protecting consumers’ financial interests. It supervises state-chartered banks and credit unions, as well as licensed mortgage companies, lenders, and other financial service providers. The office’s efforts in this case reflect a broader commitment to holding companies accountable for safeguarding consumer data.
Consumers affected by the data breach are encouraged to monitor their credit reports and take precautions against identity theft. The Office of Financial Regulation provides resources and guidance for those seeking assistance. Maryland residents can learn more by visiting labor.maryland.gov/finance.
This case underscores the growing importance of cybersecurity in the financial sector. With more personal and financial information stored digitally, companies must prioritize the protection of sensitive data. The settlement with Bayview Asset Management and its affiliates serves as a reminder that failure to meet these standards will result in significant consequences.