As we previously reported, Capital One Financial Corporation announced in July 2019 a major data security breach when an individual gained unauthorized access to personal information about Capital One credit card customers. According to the Office of the Comptroller of the Currency (“OCC”), which regulates large U.S. banks, Capital One has now agreed to pay an $80 million fine to resolve claims related to the incident.
Affecting more than 100 million accounts in the U.S., the hack of Capital One’s computer systems was one of the largest financial data breaches ever. According to the Department of Justice indictment filed against her, the suspected hacker accessed and copied data from more than 30 different entities, including Capital One, that rented or contracted servers at an unnamed cloud-computing company at which she previously worked. Although the 2019 breach did not expose credit card account information, Capital One reported that about 140,000 Social Security numbers and 80,000 linked bank account numbers were compromised. Personal information that Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip and postal codes, phone numbers, email addresses, dates of birth, and self-reported income, was also improperly accessed by the hacker. The criminal proceedings against the alleged hacker remain ongoing.
According to a consent order filed last week by the OCC, Capital One failed to establish effective risk management when it migrated information technology operations to a cloud-based service in 2015. The Bank’s internal audit mechanisms also failed to identify “numerous control weaknesses and gaps” in the cloud operating environment. Finally, the Bank’s Board of Directors neglected to hold management accountable for internal control gaps and weaknesses. The OCC concluded that these lapses constituted “unsafe or unsound practices that were part of a pattern of misconduct” violating the Federal Reserve’s Interagency Guidelines Establishing Information Security Standards, 12 C.F.R. Part 30, Appendix B.
In addition to paying an $80 million civil fine, the Federal Reserve will also subject the Bank’s data security practices to heightened scrutiny for the foreseeable future. As part of a cease and desist order filed in tandem with the consent order, the Federal Reserve will require Capital One to undertake a variety of initiatives to strengthen its risk management program and internal controls. For example, within 90 days, Capital One must submit to the Federal Reserve written plans addressing how it will:
- Maintain an effective operational risk management program and ensure that operational risk management and internal control issues are appropriately tracked, escalated, and reviewed by senior management and the Board;
- Strengthen the Bank’s governance and internal controls, including by creating clearly defined operational risk roles and responsibilities and implementing personnel training;
- Improve the Bank’s risk management program, including by adopting comprehensive risk identification and assessment processes and clear ownership and accountability for the aggregation, escalation, and reporting of operational risk management issues; and
- Revise its internal audit program with respect to auditing the Bank’s risk management programs, including technology risk management.
In taking the above actions, the regulators positively considered Capital One’s notification and remediation efforts following the July 2019 incident. Despite these efforts, however, Capital One will need to devote significant resources to assure regulators that it can adequately safeguard data security on a going-forward basis. The settlement thus serves as a cautionary tale that even with prompt remedial action, entities that experience a data breach may still face enforcement action by regulators and substantial fines.
By Sara A. Arrow and Alejandro H. Cruz of Patterson Belknap Webb & Tyler LLP, a law firm in New York that has a Privacy and Data Security Practice. Read more Patterson Belknap blogs here.