Bank Regulator Punishes Capital One for Data Breach: $80 Million Civil Penalty featured image

Bank Regulator Punishes Capital One for Data Breach: $80 Million Civil Penalty

by John DiGiacomo

Partner

Internet Law

Capital One, N.A., and Capital One Bank (USA), N.A. (“Capital One”) were recently fined $80 million for a 2019 data breach and data security failures that contributed to the data breach. See Reuters report here. The result is in line with many governmental investigations and fines that have been imposed for cybersecurity failures over the last 10 to 15 years. For businesses, including banks, a data breach will be costly, both financially and in terms of reputation. It is noteworthy that, here, the investigation and penalties were imposed by the Office of the Comptroller of Currency (“OCC”). The OCC is one of several federal agencies that has regulatory authority over national banks. One key takeaway is that federal agencies across all industry lines are policing cybersecurity and imposing punishments. Whatever your company’s market area, you must have adequate data security hardware, software and protocols. For the legal aspects, you will need to retain proven data security lawyers like those at Revision Legal

After concluding its investigation, the OCC cited the following facts as justifying the civil penalty and the various provisions of the consent decree:

  • Starting in 2015, Capital One failed to establish effective risk assessment processes prior to migrating its cyber-operations to a cloud-operating environment
  • Capital One failed to establish appropriate risk management for the cloud operating environment
  • Capital One failed to design and implement proper network security controls, data loss prevention controls and effective threat alert mechanisms
  • Capital One’s internal audits were inadequate and failed, for example, to identify numerous control weaknesses and gaps in the cloud
  • Internal audit reporting to the Board’s Audit Committee was also found to be inadequate
  • Capital One’s Board was faulted for failing to take effective actions to hold management accountable where cyber-risks were correctly identified
  • And more

Aside from having to pay the civil penalty, Capital One agreed to various remediation efforts. Capital One agreed to prepare and provide various risk assessment reports and to comply with various action plans with respect to improving board oversight and preventing future data losses. Capital One also agreed to routine and periodic testing of its to-be-implemented cybersecurity protocols. See full Cease and Desist Order here.

The OCC’s investigation was initiated in 2019 after Capital One announced that its computer systems had been hacked and that personal information had been stolen for about 106 million individuals, including customers and credit card applicants. Most of the customers were in the United States, but Canadian customers and card applicants were also affected. The information stolen included names, account numbers and other personal information for most individuals but also the compromise of Social Security numbers and linked bank account numbers for about 140,000 customers. Eventually, the hacker was identified as a former employee of Amazon Web Services which had provided vendor/contractor services when Capital One was migrating its data to its cloud-based computing environment. If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100. We have proven experience with these types of legal issues.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side