Click here for a confidential contact or call:


Cybersecurity and Data Breaches

This archive displays posts tagged as relevant to cybersecurity and data breach issues. You may also be interested in the following pages:

Page 1 of 8

DOJ Principal Deputy Assistant Attorney General Credits Whistleblowers, Identifies 2024 Priorities

Posted  02/27/24
Department of Justice Seal Logo
DOJ Principal Deputy Assistant Attorney General Brian Boynton recently spoke at the 2024 Federal Bar Association’s Qui Tam Conference.  Here are a few key takeaways from his remarks, which can be found here.
  1. Crediting Whistleblowers. Boynton lauded whistleblowers, calling them “a critical source of [DOJ’s] enforcement efforts,” and he thanked them and their counsel for their efforts, adding that the DOJ...

Why Cybersecurity Whistleblowers Should Be Treated as Friends, Not Foes

Posted  11/1/23
computer screen with HTML coding
A very insightful article in Security Week explains the rise of cybersecurity whistleblowers and why corporations would be wise to welcome them with open arms.  It may seem counterintuitive to embrace what many so readily dismiss as rabble-rousers or disgruntled employees getting in the way of business. But the higher truth, as the most experienced compliance professionals can attest, is that whistleblowers...

October 17, 2023

Healthcare clearinghouse Inmediata, which facilitates transactions between healthcare providers and insurers, has agreed to pay $1.4 million to 33 states in connection with a data breach that affected approximately 1.5 million consumers for nearly three years.  Despite being alerted to the data breach in 2019, Inmediata failed to notify consumers for over three months.  When it finally did send notice, the notices were misaddressed or unclear, leaving many consumers to believe the notices were fraudulent.  DE AG; NC AG

October 17, 2023

ACI Worldwide, a third-party payment processor for clients such as mortgage service provider Nationstar Mortgage (a/k/a Mr. Cooper), has agreed to pay $10 million to all 50 states for its role in a 2021 testing error that impacted 477,000 Mr. Cooper clients nationwide.  While testing out a platform being offered to Mr. Cooper clients, ACI accidentally submitted live consumer data into the ACH system, which caused ACI to erroneously withdraw $2.3 billion from consumer accounts through 1.4 million transactions, and consequently caused consumers to incur overdraft or insufficient funds fees.  A government investigation ultimately attributed this to ACI’s defective privacy and data security procedures and technical infrastructure.  CA AG; DE AG; PA AG; OR AG; VA AG

October 5, 2023

Software company Blackbaud has agreed to pay $49.5 million to 50 states in connection with a 2020 data breach that exposed the personal information of millions of consumers.  Additionally, the company failed to immediately report, and after failed to reveal the full scope and impact, of the breach.  In addition to the monetary penalty, Blackbaud will overhaul its data security and breach notification practices.  NJ AG; OR AG; PA AG; NC AG; VA AG

September 8, 2023

Kaiser Foundation Health Plan, Inc., and Kaiser Foundation Hospitals have agreed to pay $49 million to settle claims of unlawfully disposing hazardous medical waste and protected health information for 16 different facilities.  The misconduct violated California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, Unfair Competition Law, and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Under the settlement, Kaiser must also retain an independent third-party auditor to ensure Kaiser’s compliance with applicable laws.  CA AG

September 5, 2023

Verizon Business Network Services LLC has agreed to pay over $4 million in connection with its Managed Trusted Internet Protocol Service (MTIPS), which provides federal agencies with secure connections to the internet.  The company self-disclosed that its MTIPS service failed to comply with General Services Administration (GSA) contracts because it didn’t satisfy required cybersecurity protocols.  DOJ

July 19, 2023 Inc. and its wholly-owned subsidiary Services LLC have agreed to pay a $25 million civil penalty to resolve allegations that its voice assistant service Alexa violated the Federal Trade Commission Act, Children’s Online Privacy Protection Act, and Children’s Online Privacy Protection Rule.  Since at least May 2018, Amazon has retained indefinitely and by default voice recordings of children interacting with Alexa. The company also falsely represented that such recordings, including transcriptions and geolocation information, could be deleted by Alexa users, when in fact user deletion requests were not always honored.  As part of the settlement, Amazon will have to identify and delete inactive child profiles and notify users about its retention and deletion practices.  DOJ

CFTC Targets Cybersecurity and Environmental Fraud

Posted  07/6/23
Commodity Futures Trading Commission Logo with Orange Background
Last week, the Commodity Futures Trading Commission (CFTC) announced the creation of two new task forces.  One is the Cybersecurity and Emerging Technologies Task Force, to address fraud relating to cybersecurity and other emerging technologies.  The other is the Environmental Fraud Task Force, to go after environmental fraud and misconduct in derivatives and relevant spot markets.  The CFTC is the federal agency...

June 27, 2023

ACI Worldwide and its subsidiary, ACI Payments, will pay a $25 million civil penalty for improperly initiating around $2.3 billion in unlawful mortgage payment transactions, impacting nearly 500,000 homeowners with mortgages serviced by Mr. Cooper f/k/a Nationstar. ACI offers payment processing services across a wide range of industries. ACI conducted tests of its electronic payments platform on April 23, 2021. Rather than using deidentified, dummy data, ACI used client data files from Mr. Cooper instead, causing massive overdraft fees and other negative financial consequences to the unsuspecting borrowers. The CFPB found ACI in violation of the Consumer Financial Protection Act and the Electronic Fund Transfer Act, for illegally initiating withdrawals from borrower bank accounts, and improperly handling sensitive consumer data. ACI must pay the $25 million as well as adopt and enforce reasonable information security practices, and is prohibited from processing payments without obtaining proper authorization. CFPB
1 2 3 8