InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
States reach multi-million dollar CRA data breach settlement
On November 7, a coalition of 40 state attorneys general, co-led by Massachusetts and Illinois, reached settlements with a credit reporting agency (CRA) and a telecommunications company related to data breaches in 2012 and 2015 that impacted the personal information of millions of consumers nationwide. According to the announcement, in 2012, an identity thief posing as a private investigator accessed and retrieved sensitive personal information, such as names, Social Security numbers, addresses, and/or phone numbers from a database company that the CRA purchased. The states claimed that the identity thief (who has since pleaded guilty to federal criminal charges for wire fraud, identity fraud, access device fraud, and computer fraud and abuse, among other charges) accessed the information prior to the acquisition and continued to do so afterwards. Affected consumers were allegedly never informed of the data breach. Later, in 2015, the CRA reported it experienced a data breach affecting personal information, including consumers’ driver’s license and passport numbers, as well as information used by the telecommunications company to make credit assessments, which the CRA stored on behalf of the telecommunications company. Following the breach, the CRA offered two years of credit monitory services to affected consumers.
Under the terms of the settlements (see here and here), the CRA has agreed to pay a combined total of $13.67 million to the states in connection with the 2012 and 2015 data breaches, and will strengthen its data security practices. According to the announcement, these measures will require the CRA to (i) maintain comprehensive incident response and data breach notification plans; (ii) strengthen the vetting and oversight of third parties that have access to consumers’ personal information; (iii) develop an Identity Theft Prevention Program to detect potential red flags in customer accounts; (iv) not misrepresent to consumers the extent to which the privacy and security of their personal information is protected; (v) strengthen due diligence provisions to ensure the CRA properly vets acquisitions and evaluates data security concerns prior to integration; and (vi) implement data minimization and disposal requirements, including undertaking specific efforts designed to reduce the use of Social Security numbers as an identifier. The CRA will also offer affected consumers five years of free credit monitoring services, during which time consumers will be able to receive two free copies of their credit report annually.
Separately, the telecommunications company agreed to pay more than $2.43 million to the states, and will maintain a written information security program, including vendor management provisions to ensure vendors take reasonable security measures to safeguard consumers’ personal information. This will involve, among other things, maintaining a third-party risk management team to oversee vendors’ security, outlining specific security requirements in vendor contracts, and employing a variety of security assessment and monitoring practices to confirm vendor compliance. The telecommunications company will also provide employee training on the requirements of its information security measures and implement a written cyber incident and response plan to prepare for and respond to security events.
District Court preliminarily approves $2.35 million settlement for card data breach
On November 8, the U.S. District Court for the Northern District of Texas issued an order accepting a magistrate judge’s report preliminarily approving a consolidated class action settlement related to a restaurant chain’s payment card data breach. Class members alleged that hackers gained unauthorized access to the restaurant chain’s computer servers and payment card environment between April 2019 and October 2020, resulting in hundreds of thousands of consumers’ financial information, including credit and debit card numbers, expiration dates, cardholder names, and internal card verification codes, being compromised. Hackers then allegedly advertised the stolen information for sale on the dark web. Several lawsuits were filed alleging violations of numerous state laws that were eventually consolidated with this action. The parties negotiated a settlement prior to class certification, which would require the restaurant chain to provide a $2.35 million all-cash non-reversionary qualified settlement fund and adopt several data-security measures. Class members also would be able to file claims for out-of-pocket losses, elect for a cash payments, and request credit monitoring services.
The magistrate judge’s report recommended that the proposed class settlement be preliminarily approved as it “will likely be found fair at the final approval stage” and the offered relief “is both procedurally and substantively adequate.” The magistrate judge disagreed with objections raised by certain plaintiffs who argued, among other things, “that the proposed settlement is ‘substantively inadequate’ because the amount of funds available per potential class member is ‘far too low.’” However, according to the magistrate judge’s report, when compared to other settlements approved in other data breach cases, it is “clear that the proposed settlement is at least in line with if not better than what any proposed plaintiff could have expected coming into the litigation.” The magistrate judge also refuted the objecting plaintiffs’ assertion that the proposed settlement treats class members differently by providing plaintiffs who can establish out-of-pocket losses with up to $5,000, California residents without losses with $100, and non-California residents without losses with $50. “The Settling Plaintiffs have adequately demonstrated why this extra recovery for California class members [is] equitable, if not equal. Namely, class members from California could bring California state law claims which provide for $100-$750 in statutory damages,” the report said, adding that “class members from California have a stronger basis for damages than do class members from outside the state—who may only be able to show nominal or incidental damages as a result of [the restaurant chain’s] breach of contract—and so their modestly increased recovery is justified.”
Pennsylvania amends privacy bill
On November 3, the Pennsylvania governor signed SB 696 to amend the Breach of Personal Information Notification Act. The bill, among other things, prohibits employees of the Commonwealth from using non-secured Internet connections. The bill also includes data storage policy provisions, which establish that an entity that maintains, stores, or manages computerized data on behalf of Pennsylvania that constitutes personal information must develop a policy to govern reasonably proper storage of the personal information. The bill further notes that a goal of the policy must be to reduce the risk of future breaches of the security of the system. The bill is effective 180 days after approval by the governor.
Plaintiff wins $148,000 in data breach suit
On November 3, the U.S. District Court for the District of Minnesota granted a plaintiff technical consulting and software development company’s motion for summary judgment in a data breach suit. According to the order, an unknown bad actor gained unauthorized access to the email account of a plaintiff’s employee and created multiple “rules” that interfered with the proper receipt of incoming emails. The bad actor sent emails to and from the account, at times impersonating the employee and at times impersonating clients. The plaintiff issued two invoices to a particular client while these rules were in place: one invoice was for $137,000 for the plaintiff’s services, and the other invoice was for an additional $39,962. The bad actor emailed the client, posing as the employee, and wrote that it had “recently changed banks and our previous account . . . has been closed, hence, all payments effective immediately will be made directly to our new bank account in compliance with the policy of the company.” The bad actor requested confirmation as to when the client would pay the first invoice “so we can forward our new bank account details.” The client sent the payment to an account controlled by the bad actor. After discovering the bad actor’s conduct, the plaintiff recovered some of that money with the help of the U.S. Secret Service but sought insurance coverage for nearly $148,000, court records show. The defendant had insured the plaintiff under a technology professional liability (TPL) policy that incorporated a Data Breach Coverage Form, which included a “Cyber Business Interruption and Extra Expense” clause. The plaintiff submitted a claim to the defendant seeking coverage under the policy for the money lost to the bad actor. The defendant denied the plaintiff’s claim for coverage. The plaintiff sued, alleging that the defendant’s denial of coverage breached the TPL policy. The court found that using “‘impairment’ rather than ‘interruption’ in the Clause itself demonstrates that the TPL policy specifically grants coverage when a business suffers something less than a total suspension of operations.” The court further noted that the policy covers the loss, granted summary judgment to the plaintiff on its claim that the defendant breached the policy by denying coverage, and awarded the plaintiff nearly $148,000 in damages.
FTC takes action against ed tech provider for lax data security
On October 31, the FTC announced an administrative action against an education technology (ed tech) provider claiming that the company’s allegedly poor data security practices exposed millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. According to the FTC’s complaint, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Less than a year later, another data breach involved a former employee using login information the company shared with employees and outside contractors to gain access to a third-party cloud database containing personal data for roughly 40 million users. In the following two years, the company experienced two more data breaches through phishing attacks that exposed sensitive employee data, including medical and financial information. Claiming violations of Section 5(a) of the FTC Act, the Commission alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.
Under the terms of the proposed decision and order, the company would be required to take several measures to address the alleged conduct, including (i) documenting and limiting data collection; (ii) providing users access to collected data and allowing them to submit requests for deletion; (iii) implementing multifactor authentication or another authentication method to protect user and employee accounts; and (iv) implementing a comprehensive information security program that would encrypt consumer data and provide security training to employees, among other things.
This action is part of the FTC’s ongoing efforts to make sure ed tech providers protect and secure personal data they collect and do not collect more information than necessary. As previously covered by InfoBytes, the FTC issued a policy statement in May warning ed tech providers that they must fully comply with all provisions of the Children’s Online Privacy Protection Act when gathering data about children. The FTC emphasized that ed tech providers may not harvest or monetize children’s data, cannot force children to disclose more information than is reasonably necessary for participating in their educational services, and must have procedures in place to keep the data secure, among other things.
District Court approves data scrape settlement
On October 20, the U.S. District Court for the Northern District of California granted final approval to a class action settlement resolving claims that a social media platform (defendant) scraped consumer data for advertising purposes. According to the plaintiffs’ motion for preliminary approval, the defendant allegedly scraped a group of mobile company users’ call and text logs without consent by exploiting a vulnerability in the permission settings for the defendant’s message application. In its third amended complaint, the plaintiffs argued that consumers granted the defendant permission to access their phones’ contact lists, but did not consent to scraping their call and text logs, which included the date and time of phone calls, the phone numbers dialed, the names of the individuals called and the duration of each call, as well as whether each call was incoming, outgoing or missed. The plaintiffs further alleged that the defendant did not explicitly notify them that their data was being collected prior to the vulnerability being patched in October 2017, when the defendant ceased its scraping practice. The settlement requires the defendant to delete all call and text history data that it is not legally obligated to preserve, and provides for a $1.08 million attorney fee request and $1,500 incentive awards for class representatives.
District Court preliminarily approves data breach settlement
On October 24, the U.S. District Court for the District Court of Colorado granted preliminary approval of a class action settlement resolving claims that a defendant failed to safeguard personally identifiable information (PII) during a data breach. According to the plaintiffs’ unopposed motion for preliminary approval of class action settlement and supporting memorandum, in December 2021, the defendant determined that an unauthorized third party gained access to and gathered data from its computer network in June 2021. The plaintiffs further alleged that, “if [the defendant] ‘properly monitor[ed] … [its] computer network and systems that housed the … [PII],’ [the defendant] ‘would have discovered the intrusion sooner.’” Furthermore, the plaintiffs alleged that the defendant failed to provide “timely and adequate notice” to the plaintiff class, and filed claims for negligence, breach of implied contract, and invasion of privacy by intrusion. The settlement also includes a provision for the defendant to pay directly for credit monitoring and identity theft protection services, not limited by the $475,000 cap, along with about $51,000 for settlement administration costs. The plaintiffs would also be able to seek up to $210,000 for attorney fees and costs, and a total $5,000 for service awards to the named plaintiffs.
FTC’s proposed breach order would apply personally to CEO
On October 24, the FTC announced an action against a company operating an online alcohol marketplace and its CEO related to a data breach that allegedly exposed the personal information of roughly 2.5 million consumers. The FTC alleged in its complaint that the respondents were alerted to problems with the company’s data security procedures following an earlier security incident in 2018, which involved hackers accessing company servers to mine cryptocurrency until the company changed its cloud computing account login information. According to the FTC, the company failed to take appropriate measures to address its security problems, but publicly claimed it had appropriate security protections in place. Two years later, an employee account was breached, thus allowing a hacker to gain access to login information, hack into the company’s database, and steal customers’ information. Among other things, the respondents allegedly violated the FTC Act by (i) failing to implement basic security measures or put in place reasonable safeguards to secure the personal information it collected and stored; (ii) storing critical database information, including login credentials, on an unsecured platform; (iii) failing to monitor its network for security threats or unauthorized attempts to access or remove personal data; and (iv) exposing customers to hackers, identity thieves, and malicious actors who use personal information to open fraudulent lines of credit or commit other fraud.
Under the terms of the proposed decision and order, the respondents will be required to take several measures to prevent further violations, including destroying unnecessary personal data, limiting future data collection to what is necessary for specifically outlined purposes, and implementing a comprehensive information security program. As part of these requirements, the respondents must establish security safeguards to protect against the identified security incidents, such as providing employees security training, designating a high-level employee to oversee the company’s information security program, implementing controls on who is able to access personal data, and requiring multi-factor authentication in order to access databases and other assets containing consumer data.
Notably, the FTC said in its announcement that the proposed order applies personally to the individual respondent who presided over the company’s insufficient data security practices. The FTC explained that the proposed order will follow the individual respondent even if he leaves the company, and that he “will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals” where the individual respondent “is a majority owner, CEO, or senior officer with information security responsibilities.”
UK Information Commissioner fines company £4.4 million for data breach
On October 24, the UK Information Commissioner fined a construction company £4.4 million for a data breach that allegedly allowed hackers to access thousands of employees’ personal data. According to the monetary penalty notice, the company failed to process personal data in a manner that ensured the appropriate security of individuals’ personal data as required by Article 5(1)(f) and Article 32 of the EU’s General Data Protection Regulation. This includes protecting against unauthorized or unlawful processing, against accidental loss, destruction, or damage, and using appropriate technical and organizational measures, the regulator said. As a result of insufficient security measures, the company was exposed to a cyber-attack that affected the personal data of up to 113,000 company employees, including personal information such as phone numbers, email addresses, national insurance numbers, and bank account details, among others. An investigation found that the company allegedly failed to follow-up on a suspicious activity alert, used outdated software systems and protocols, and lacked adequate staff training and insufficient risk assessments. The regulator warned companies that “[t]he biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.” The regulator further stressed that failure to regularly monitor for suspicious activity, act on warnings, update software, or provide training may expose other companies to a similar fine.
New York announces $1.9 million data breach settlement with global retailer
On October 12, the New York attorney general announced a $1.9 million settlement with an international e-commerce retailer for failing to properly handle a 2018 data breach. According to the settlement, the e-commerce owns and operates two brands (collectively, “respondents”), which experienced a data breach that caused 39 million accounts to be stolen, including accounts for more than 800,000 New York residents. The AG found, among other things, that the respondents failed to properly safeguard consumers’ information, failed to adhere to requirements for protecting stored credit card data, and misrepresented the extent of the cyberattack to consumers. As a result of the settlement, the respondents are required to pay New York $1.9 million in penalties and costs, and must maintain a comprehensive information security program that includes robust hashing of customer passwords, among other things.