By: Payton Hoff & Anis Houssein
In the middle of 2019, Capital One faced more than thirty federal class actions after the bank’s announcement of a data breach that uncovered the data of about 100 million customers in Canada and the United States. Class actions have been filed in federal courts in Virginia, where Capital One is headquartered, as well as Washington, D.C., Seattle, San Francisco, New York, Philadelphia, and Tampa.
On July 19, 2019, an unauthorized entry by a data thief allowed the acquisition of Capital One’s credit card customers’ personal information. The breach affected over 100 million individuals in the United States. The information exposed was information that the bank obtained between the period of 2005 through the first three months of 2019.
Capital One announced the breach on July 29, about two weeks after company officials claim they discovered the cyberattack. Capital One said it expected up to $150 million in costs because of the breach, including charges for legal support, and had $400 million in insurance coverage.
Capital One, after the discovery of the breach, directly notified by mail all individuals whose personal information was accessed. Capital One informed these individuals that it would continue to offer free credit monitoring and identity protection software to prevent any potential use of their data.
In their lawsuits against Capital One, the customers alleged that the banking company’s failure to honor its duty under the contract that required, as is required of any bank, to engineer effective cybersecurity systems, anti-hacking technological software, and to alert users of intrusion within an hour of detection and to maintain reporting systems sufficient to protect private information from unauthorized access. Another obligation that Capital One is alleged to have failed to honor is the duty to delete any private information the bank does not need, such as rejected applications.
Capital One is also subject to federal law under the Gramm-Leach-Bliley Act (GLBA). Banks under the act are subject to specific requirements in the area of protecting private information. The act requires banks to demonstrate their processes for sharing personal data, the necessity of using the information in the banking business to potential applicants and customers, and how they are going to protect the information.
Therefore, Capital One has allegedly breached its obligations to maintain appropriate technological and other systematic programs to prevent unauthorized access to customers’ data, failing to minimize the private information that any intrusion could compromise, and failing to notify its customers of the data breach at the right time. Customers allege that Capital One provided the means for a third party to access, obtain, and misuse their private information and that all the above duties were reasonably foreseeable to any bank in the business that this kind of breaches would expose the private information to criminals.
Moreover, the allegations stated that Capital One knowingly and deliberately enriched itself by saving the costs the banking company reasonably should have spent on data security measures and the best protection system in the market to secure private information. Instead of providing a reasonable level of security, Capital One utilized cheaper, ineffective security measures at the expense of their customers. The victims, on the other hand, suffered as a direct and proximate result of Capital Ones’ decision to prioritize profits over security. The victims suffered and will continue to suffer injuries in the form of identity theft, attempted identity theft, loss of privacy, nuisance, and the expenses of mitigating those harms.
What We Think
Capital One will most likely go through the same scenario that Equifax went through in 2017. Equifax paid about $650 million to settle most lawsuits against the company because of their 2017 data breach. Equifax’s settlement has been, so far, the largest settlement of a data breach case in dollars and number of victims.
The settlement covered almost half of the inhabitants of the United States. The settlement not only compensated victims who lost funds, but also compensated people who suffered through the hassles of bank phone and credit-card customer service lines at $25 an hour. Nearly half of the settlement, $300 million, went towards victims who lost their private information to the data breach. The company also paid fines to end the investigations. Equifax paid $275 million in penalties to the Federal Trade Commission, the Consumer Financial Customer Protection Bureau, and forty-eight states.
Additionally, in the settlement, Equifax agreed to provide up to ten years of free credit monitoring services for about seven million people. However, if another million victims decide to sign up, it would cost Equifax more than $16 million. If all 147 million victims were to take part in the case, Equifax would pay more than $2 billion in total. Mr. Norman Siegel, a lawyer representing victims in the settlement, stated that “if people wanted Equifax to pay more, they should sign up for credit monitoring.” Equifax was prepared and added $125 million to the claims fund in case the initial $300 million is depleted besides potential costs for credit monitoring.
Equifax’s situation will likely be the path that Capital One will follow. With these high-profile data breaches happening only within a few years of each other, one should wonder how prepared other financial companies should be to prevent large data breaches, as the ramifications have been shown to be costly for those companies.