The saga of the Capital One data breach, which impacted an estimated 106 million individuals in the U.S. and Canada, may soon be coming to an end. After more than two years of litigation, the parties have reached a settlement that would resolve existing and future consumer claims arising out of the 2019 breach which impacted Capital One customer information stored in the Amazon Web Services (AWS) cloud environment. If the settlement is approved, it will be one of the largest in any multidistrict data breach litigation.
On July 29, 2019, Capital One announced that certain information related to current and prospective customers had been stolen by a hacker from the AWS cloud instance where Capital One stored its data. The breach impacted approximately 98 million U.S. residents who had an account, or had previously applied for an account, with Capital One. The hacker stole approximately 140,000 social security numbers and 80,000 linked bank account numbers, as well as names, postal codes, birth dates, self-reported income, credit scores, credit limits, account balances and payment history. A former AWS software engineer, Paige A. Thompson, was indicted on federal charges of wire fraud and computer fraud and abuse in connection with the breach.
Under the terms of the settlement, Capital One would pay $190 million to compensate members of the settlement class for (among other things) out-of-pocket losses incurred in connection with the breach and for lost time spent dealing with issues related to the breach, as well as at least 3 years of identity theft prevention and resolution services. In addition, for at least two years, Capital One will implement and maintain significant changes to its business practices designed to improve its cybersecurity. In exchange, Capital One and AWS will be released from any further claims by the settlement class in connection with the breach. The proposed settlement is in addition to an $80 million penalty paid by Capital One in 2020 to settle claims by its regulators. The regulators alleged that Capital One engaged in unsafe or unsound practices in connection with moving its customer information to the AWS cloud.
While Capital One remains a strong advocate for the use of cloud storage and computing in the financial services industry (even advertising its move to the public cloud on its website), a majority of other banks and financial institutions have been somewhat more cautious about moving critical business applications and customer data to cloud environments. Capital One’s experiences, including the 2019 breach and the resulting settlements with regulators and consumers, will no doubt inform other financial institutions in their decisions to use cloud computing and storage in the future.
Suzanne’s practice is focused on supply chain, licensing, technology and commercial transactional matters, as well as data security and privacy. She has extensive experience in drafting and negotiating a variety of commercial ...
Todd focuses his practice on data privacy and security, licensing, technology, supply chain and commercial transactional matters.
Before joining the firm, Todd served as an in-house attorney at Bank of America, where he worked ...
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.
Data Points: Privacy & Data Security Blog Updates
- The Consumer Financial Protection Bureau Stakes Out Its Enforcement Authority Over Unfair Information Security Practices
- Maryland Amendments to Data Security and Breach Notification Law
- The Devil Really is in the Details: The SEC Proposed Rule on Cybersecurity Risk Management for Investment Advisors, Registered Investment Companies and BDCs
- Will the U.S. Finally Pass Comprehensive Data Privacy Legislation?