Breach Settlements Are Helpful Cybersecurity Reminders
Over the past month, a number of high-profile cybersecurity settlements have been reported. These cases continue to remind companies to take steps both to secure personal data and sensitive materials, including data stored by third-party vendors, as well as to conduct a prompt and comprehensive forensic investigation into any incident to ensure both a factually correct determination, and, if necessary, timely notice to impacted individuals.
On April 18, 2019, a multi-million dollar class-action settlement out of Washington State University was approved relating to the theft of a physical hard drive (contained in a safe) with personal information for over one million individuals. Interestingly, the safe was taken from an off-site rented self-storage unit, having nothing to do with any hacking or typical cyberattack. The school has reported that it will no longer store such information in rented units.
On April 26, 2019, Eddie Bauer filed a proposed $9.8 million settlement with Veridian Credit Union and other impacted financial institutions relating to the compromise of bank cards. According to the complaint, hackers installed malware on the retailer’s point-of-sale systems, resulting in the theft of consumer data including names and bank card information. Under the settlement, Eddie Bauer also agreed to take steps to ensure the safety of payment and cybersecurity systems. A copy of the settlement agreement can be found here.
On May 6, 2019, the Office for Civil Rights at the U.S. Department of Health and Human Services(OCR) has announced a $3 million settlement with Touchstone Medical Imaging, and to adopt corrective action following exposure of protected health information for over 300,000 patients. OCR’s investigation revealed significant failures, including an initial determination by the company that no PHI was exposed following an inadequate investigation, and then, after the exposure was confirmed, untimely notice of the breach to affected individuals. OCR also determined the company had failed to conduct a proper risk analysis to identify potential vulnerabilities, and failed to have business associate agreements in place with vendors.