Recent Settlements and Penalties Show Perils of Data Breaches

Two major U.S. financial institutions, Morgan Stanley and Capital One, recently agreed to resolve separate class action lawsuits by paying, in the aggregate, hundreds of millions of dollars in compensation for massive data breaches a couple of years ago. Those breaches exposed personal data of millions of their customers, giving rise to the class actions. 
 
Morgan Stanley agreed to pay $60 million after customers alleged that the bank exposed their personal data when information stored on decommissioned equipment was not completely wiped clean before being sold to a third party. Customers also alleged that older servers containing consumer data went missing after Morgan Stanley transferred them to an outside vendor. Morgan Stanley denied any wrongdoing. 

A few months ago, Morgan Stanley agreed to pay $60 million in civil penalties to the U.S. Office of the Comptroller of the Currency based on the same incident. 

Capital One, which notably was one of the first banks to invest in migrating their on-site data centers to a cloud computing environment, agreed to pay $190 million to settle the lawsuit filed against it. Customers and applicants filed that suit after a former employee of Capital One’s cloud provider, Amazon Web Services, allegedly hacked into Capital One’s cloud-computing systems and stole their personal information. Capital One and Amazon Web Services denied any wrongdoing. Federal prosecutors ultimately arrested the former employee, who was charged with computer fraud after allegedly accessing the data through an improperly configured firewall. Like Morgan Stanley, Capital One also paid civil fines to the Office of the Comptroller of the Currency, totaling $80 million, for failing to adequately identify and manage risks as it moved significant portions of its technological operations to the cloud system.

Data breaches that expose private consumer information to unauthorized parties can have serious legal consequences, as evidenced by the recent settlements and penalties, not to mention many others that have resulted from breaches at other companies in recent years. Businesses can face crippling fines and lawsuits, generally class actions, leading not merely to significant monetary damages, but also substantial legal fees, investigative costs, reputational harm, and disruptions to the companies’ business. 

Notwithstanding the high risk of cyberattacks and the resultant costs, a study conducted by 451 Research a few months back shows that 83% of businesses still fail to encrypt private data stored in the cloud. Even when businesses protect their data with encryption, the study found that 34% leave the control of keys to cloud service providers rather than retaining control themselves. In addition, 48% admitted that their organization does not have a “zero trust policy,” a security concept based on the belief that, before granting access to their networks and systems, businesses must verify anything and everything seeking to connect to those networks and systems.

With more employees working remotely and more businesses making extensive use of cloud services, the chances of being hacked are higher than ever. There are a number of measures that businesses can take to protect themselves, including the implementation of common- sense steps addressed in the 451 Research study. Those include ensuring proper encryption of private data, retaining control over the data, and implementing zero trust policies. Other measures may include a comprehensive review of the business’ policies and procedures to determine conformity with security standards in the industry and compliance with the law -- which can present its own challenges given that there is no single, comprehensive federal law regulating how most companies collect, store or share data. Relationships with vendors, such as cloud providers, and other third-parties need to be scrutinized. Businesses should also make sure that contracts establishing and documenting these relationships address issues such as data privacy, licensing, intellectual property and other related concerns, as well as liability and indemnity obligations for data breaches.
 
As the Morgan Stanley and Capital One settlements demonstrate, the risk of paying tens, if not hundreds, of millions of dollars as a consequence of a data breach, and sustaining other types of collateral damage, is far from fanciful. More than ever, it is imperative for businesses to take concrete measures to protect sensitive data to reduce the possibility of a data breach and insulate themselves from heightened risks of dire financial consequences.