Capital One, N.A., and Capital One Bank (USA), N.A. (“Capital One”) were recently fined $80 million for a 2019 data breach and data security failures that contributed to the data breach. See Reuters report here. The result is in line with many governmental investigations and fines that have been imposed for cybersecurity failures over the last 10 to 15 years. For businesses, including banks, a data breach will be costly, both financially and in terms of reputation. It is noteworthy that, here, the investigation and penalties were imposed by the Office of the Comptroller of Currency (“OCC”). The OCC is one of several federal agencies that has regulatory authority over national banks. One key takeaway is that federal agencies across all industry lines are policing cybersecurity and imposing punishments. Whatever your company’s market area, you must have adequate data security hardware, software and protocols. For the legal aspects, you will need to retain proven data security lawyers like those at Revision Legal
After concluding its investigation, the OCC cited the following facts as justifying the civil penalty and the various provisions of the consent decree:
- Starting in 2015, Capital One failed to establish effective risk assessment processes prior to migrating its cyber-operations to a cloud-operating environment
- Capital One failed to establish appropriate risk management for the cloud operating environment
- Capital One failed to design and implement proper network security controls, data loss prevention controls and effective threat alert mechanisms
- Capital One’s internal audits were inadequate and failed, for example, to identify numerous control weaknesses and gaps in the cloud
- Internal audit reporting to the Board’s Audit Committee was also found to be inadequate
- Capital One’s Board was faulted for failing to take effective actions to hold management accountable where cyber-risks were correctly identified
- And more
Aside from having to pay the civil penalty, Capital One agreed to various remediation efforts. Capital One agreed to prepare and provide various risk assessment reports and to comply with various action plans with respect to improving board oversight and preventing future data losses. Capital One also agreed to routine and periodic testing of its to-be-implemented cybersecurity protocols. See full Cease and Desist Order here.
The OCC’s investigation was initiated in 2019 after Capital One announced that its computer systems had been hacked and that personal information had been stolen for about 106 million individuals, including customers and credit card applicants. Most of the customers were in the United States, but Canadian customers and card applicants were also affected. The information stolen included names, account numbers and other personal information for most individuals but also the compromise of Social Security numbers and linked bank account numbers for about 140,000 customers. Eventually, the hacker was identified as a former employee of Amazon Web Services which had provided vendor/contractor services when Capital One was migrating its data to its cloud-based computing environment. If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100. We have proven experience with these types of legal issues.