Capital One Financial Corporation announced, on 29 July 2019, that it had determined, on 19 July 2019, that an individual had gained unauthorised access to certain personal information on approximately 100 million individuals in the US and approximately 6 million in Canada. Following this, the New York Attorney General (‘AG’), Letitia James, and the Connecticut AG, William Tong, announced, on 30 July 2019, that they had launched investigations into the data breach, whilst the Office of the Privacy Commissioner of Canada announced, on 31 July 2019, that it had also launched an investigation on the same. U.S. Congressmen, Jim Jordan, Mark Meadows and Michael Cloud, sent, on 1 August 2019, letters to Capital One and Amazon Inc. requesting briefings on the breach and information on the current status of Amazon Web Services protocols in place to ensure the security of sensitive personal and government data.
Linn Foster Freedman, Partner at Robinson & Cole LLP, told OneTrust DataGuidance, “The takeaway from this specific incident is that companies need to understand that they are still responsible for data security when they store their data in the cloud; it is still their data and they are still responsible for data security. Companies can’t put their data in the cloud and then wash their hands of it. They must use security measures in all situations where they are storing data, on premises or in the cloud. Configuring firewalls for data storage, either on premises or in the cloud, is one of those basic security measures to consider and implement.”
Moreover, Capital One outlined that that the largest part of the compromised information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income related to consumers and small businesses as of the time they applied for one of its credit card products from 2005 through to early 2019. Furthermore, credit customer data, including customer status data, such as credit scores and credit limits, were also exposed. The AGs highlighted that Capital One had failed to properly secure such information, noted that it is becoming far too commonplace that financial institutions are susceptible to hacks, and questioned whether companies are doing enough to prevent future data breaches.
There will be a flurry of activity by regulators and class action litigators that will be costly and a difficult process for Capital One
Freedman noted, “The response from regulators, as well as class action lawyers following the incident is not surprising and is consistent with the fall-out from other big data breaches over the past few years. There will be a flurry of activity by regulators and class action litigators that will be costly and a difficult process for Capital One over the next few years, that will probably end with proposed settlements.”
Additionally, the Chairwoman of the U.S. House of Representatives Committee on Financial Services (‘the House Committee’), Maxine Waters, issued, on 30 July 2019, a statement on the data breach. In particular, Waters indicated that the breach underscores the importance of the implementation of a series of bills seeking to reform the Fair Credit Reporting Act of 1970 that the House Committee recently passed, so that consumers affected by the breach are not further harmed. Waters further highlighted the need for the House Committee to work on legislation to improve oversight of the cybersecurity of financial institutions.
Freedman concluded, “Massive data breaches like this one are getting the attention of U.S. Congress members more now than ever before, due to the frequency and scale of the incidents. Consumers are becoming more educated about the risks following massive data breaches, are showing signs of getting more involved in demanding that action be taken so that data is protected, and are getting frustrated by the fact that no federal privacy law exists to protect them from identity theft. I do think that the enactment of the General Data Protection Regulation (Regulation (EU) 2016/679) and the California Consumer Privacy Act of 2018 is helping nudge the U.S. Congress to act.”
IANA GAYTANDJIEVA Privacy Analyst