A large insurance company agreed to pay a total of $5.5 Million to settle charges brought by 32 states resulting from the loss of critical consumer information attributable to a criminal data breach. According to the Settlement Agreement, the respondent lost the data for 1.27 million customer across the country when hackers exploited a security breach created when the respondent failed to implement a security patch. As part of the settlement, the insurance company agreed to appoint a security patch supervisor, implement security patch policies and procedures, and perform internal assessments. The New York State Attorney General criticized the respondent for its “true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” He warned, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”
OUR TAKE: The NYS Attorney General implies that companies can be held liable for data breaches that result from simple negligence rather than recklessness or intent. A solid compliance program that includes a robust cybersecurity assessment can help defend charges that a firm acted negligently.