Cybersecurity and Data Breaches

November 22nd, 2017

California announced a $2 million settlement with Cottage Health System and its affiliated hospitals in California resolving allegations that they failed to implement basic, reasonable safeguards to protect patient medical information in violation of state and federal privacy laws. The settlement requires Cottage to maintain security practices and procedures to protect patients’ medical information from unauthorized access or disclosure. This settlement follows two separate data breach incidents by Cottage Health where more than 50,000 patients’ medical information was made publicly available online. CA

September 5, 2017

Connecticut joined with 31 other states in a settlement with technology company Lenovo (United States) Inc. to resolve allegations that the company violated state consumer protection laws by pre-installing faulty software on laptop computers sold to Connecticut consumers that made consumers' personal information vulnerable to hackers.

August 9, 2017

Connecticut joined with 31 other states and the District of Columbia in a $5.5 million settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, that resolves the states’ investigation into a 2012 data breach that exposed sensitive personal information of 1.2 million consumers across the country. On October 3, 2012, Nationwide and Allied (collectively, "Nationwide"), experienced a data breach when, the states’ investigation found, hackers exploited a vulnerability in the companies’ third-party Web application hosting software. The states’ investigation found that Nationwide had failed to apply a critical software patch that the third-party software company had deployed in 2009 to address the vulnerability. FL

May 23, 2017

New York announced that 47 states and the District of Columbia have reached a $18.5 million settlement with the Target Corporation to resolve the states’ investigation into the retail company’s 2013 data breach, which affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. The agreement represents the largest multistate data breach settlement achieved to date and will bring $635,224.33 to New York State. The states’ investigation found that in November of 2013, cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database and to install malware on the system that was used to capture consumer data, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs. NY, TX, CA

December 14, 2016

The operators of the Toronto-based AshleyMadison.com dating site have agreed to settle FTC and state charges that they deceived consumers and failed to protect 36 million users’ account and profile information in relation to a massive July 2015 data breach of their network. The settlement requires the defendants to implement a comprehensive data-security program, including third-party assessments. In addition, the operators will pay a total of $1.6 million to settle FTC and state actions. FTC

November 15, 2016

Resolving a multistate investigation into a 2013 data breach that involved the personal information of more than 50,000 Massachusetts residents, software company Adobe Systems, Inc. (Adobe) has agreed to pay $1 million and implement new policies and practices to prevent future breaches. An investigation by the states revealed that in September 2013, Adobe received an alert that the hard drive for one of its application servers was nearing capacity. In responding to the alert, Adobe learned that an unauthorized attempt was being made to decrypt customer payment card numbers maintained on the server. The states allege that the nature of the attack was foreseeable and that contrary to Adobe’s representations to its customers, it did not take reasonable steps to protect consumers’ personal information, or to promptly detect the attack and prevent the theft of consumers’ data. The states allege that the data breach of certain Adobe servers included those containing the personal information of approximately 534,000 residents of the participating states, including approximately 53,000 Massachusetts residents. MA, OH, IL

June 8, 2016

Morgan Stanley Smith Barney LLC will pay a $1 million penalty to settle charges related to its failures to protect customer information, some of which was hacked and offered for sale online.  As a result of failures to adopt policies and procedures reasonably designed to protect customer data, from 2011 to 2014, a then-employee impermissibly accessed and transferred data regarding approximately 730,000 accounts to his personal server which was ultimately hacked by third parties.  SEC

September 22, 2015

R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, will pay a $75,000 penalty to settle charges that it failed to establish required cybersecurity policies and procedures reasonably designed to protect customer records and information, in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm’s clients.  SEC