Partner
Capital One, N.A., and Capital One Bank (USA), N.A. (“Capital One”) were recently fined $80 million for a 2019 data breach and data security failures that contributed to the data breach. See Reuters report here. The result is in line with many governmental investigations and fines that have been imposed for cybersecurity failures over the last 10 to 15 years. For businesses, including banks, a data breach will be costly, both financially and in terms of reputation. It is noteworthy that, here, the investigation and penalties were imposed by the Office of the Comptroller of Currency (“OCC”). The OCC is one of several federal agencies that has regulatory authority over national banks. One key takeaway is that federal agencies across all industry lines are policing cybersecurity and imposing punishments. Whatever your company’s market area, you must have adequate data security hardware, software and protocols. For the legal aspects, you will need to retain proven data security lawyers like those at Revision Legal
After concluding its investigation, the OCC cited the following facts as justifying the civil penalty and the various provisions of the consent decree:
Aside from having to pay the civil penalty, Capital One agreed to various remediation efforts. Capital One agreed to prepare and provide various risk assessment reports and to comply with various action plans with respect to improving board oversight and preventing future data losses. Capital One also agreed to routine and periodic testing of its to-be-implemented cybersecurity protocols. See full Cease and Desist Order here.
The OCC’s investigation was initiated in 2019 after Capital One announced that its computer systems had been hacked and that personal information had been stolen for about 106 million individuals, including customers and credit card applicants. Most of the customers were in the United States, but Canadian customers and card applicants were also affected. The information stolen included names, account numbers and other personal information for most individuals but also the compromise of Social Security numbers and linked bank account numbers for about 140,000 customers. Eventually, the hacker was identified as a former employee of Amazon Web Services which had provided vendor/contractor services when Capital One was migrating its data to its cloud-based computing environment. If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100. We have proven experience with these types of legal issues.
The Office of the Comptroller of the Currency is a bureau of the U.S. Treasury Department that charters, regulates, and supervises all national banks and federal savings associations. Its authority to impose civil money penalties derives from 12 U.S.C. § 1818, which permits penalties of up to $1 million per day for violations of law, regulation, or unsafe and unsound practices. The $80 million figure against Capital One reflected both the seriousness of the systemic failures and the large number of consumers affected—roughly 106 million individuals in the United States and Canada.
The OCC’s Cease and Desist Order did not stand alone. The Consumer Financial Protection Bureau issued a parallel $80 million civil money penalty against Capital One for separate violations, and the bank also faced a class-action settlement that ultimately paid hundreds of millions of dollars to affected cardholders. When a single security failure touches multiple regulatory regimes simultaneously, the aggregate liability can dwarf the face value of any single fine.
The OCC’s findings squarely implicate what regulators increasingly describe as cloud adoption risk. Capital One began migrating its data infrastructure to Amazon Web Services starting around 2015. The OCC found that the bank rushed that migration without first establishing adequate risk assessment processes, without calibrating its network security controls to the new environment, and without building threat-detection logic appropriate for a cloud-native architecture. The 2019 breach was ultimately executed by a former AWS employee who exploited a misconfigured Web Application Firewall to extract data from an S3 bucket—a vulnerability that proper cloud-security hygiene would have caught.
The Federal Financial Institutions Examination Council has published cloud-security guidance making clear that outsourcing data processing to a third-party cloud provider does not transfer regulatory responsibility to that provider. The bank remains fully accountable for security outcomes regardless of whose infrastructure is used.
One of the most striking elements of the OCC order was its explicit criticism of Capital One’s Board of Directors. Federal banking regulators rarely single out board conduct in enforcement actions, but here the OCC found that the board received accurate risk assessments yet failed to hold management accountable for remediation. This signals a broader regulatory trend: cybersecurity is now a board-governance matter, not merely a technical IT matter.
Under the OCC’s own guidelines, the board is expected to approve an institution’s information-security program, receive regular reports on material cyber-risks, and direct management to remediate deficiencies promptly. Capital One’s board received reports identifying cloud-security gaps and, according to the OCC, took insufficient corrective action. Directors of financial institutions should treat cybersecurity risk the way they treat credit risk or liquidity risk: as a standing agenda item with measurable oversight metrics.
While the OCC oversees national banks, the Capital One case carries lessons for any organization that stores consumer data at scale. The Federal Trade Commission enforces the FTC Act’s prohibition on unfair or deceptive practices, which courts have interpreted to require reasonable data-security measures. The SEC has adopted cybersecurity incident disclosure rules requiring public companies to report material breaches within four business days of determining materiality. State attorneys general in California, New York, and Michigan have authority to investigate and fine businesses that suffer breaches attributable to inadequate security.
If your organization has experienced a data breach or is working to strengthen its cybersecurity compliance posture, contact the data security lawyers at Revision Legal. We counsel businesses at every stage of the data-security lifecycle—from preventive program design through breach response, regulatory investigations, and civil litigation. Call us at 231-714-0100.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?