We will continue to see an increase in cyberattacks on a global level. This article will review the 10 biggest cybersecurity-related legal payments of 2021 resulting from enforceable actions by regulators, violations against privacy regulations/law and class action suits stemming from breaches or lapses in security controls.

2021’s most notable fines, penalties and settlements

Privacy Regulations/Laws (e.g., General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) etc.)

WhatsApp Ireland Ltd.

In September 2021, Ireland’s Data Protection Commission (DPC) issued a €225 million fine against WhatsApp for noncompliance with GDPR’s transparency obligations to both users and non-users of WhatsApp’s services. This fine was issued in response to a complaint made by privacy activist Max Schrems against WhatsApp’s transparency obligations around a possible sharing of personal data between WhatsApp and several Facebook companies in 2018. In December 2020, the Irish DPC concluded its investigation and sent its draft decision to other Concerned Supervisory Authorities (CSA) within the European Union (EU)/ European Economic Area (EEA) for consideration, as required by the GDPR. However, a number of the other supervisory authorities raised objections to the draft conclusions and the proposed fine of up to €50 million. This resulted in the European Data Protection Board (EDPB) intervention who requested that the Irish DPC reassess its draft decision regarding the infringements of transparency, the proposed fine, and the period required to comply with its transparency obligations.

Excellus Health Plan

In January 2021, Excellus Health Plan agreed to pay the Office for Civil Rights (Department of Health and Human Services, United States) a $5.1 million fine regarding potential violations against the HIPAA Privacy and Security Rules. In 2015, Excellus experienced a cyberattack where malicious and unauthorized individuals gained access to its information technology (IT) systems resulting in a potential compromise of electronically protected health information (ePHI) of over 9.3 million individuals. An investigation of Excellus’s cybersecurity program by OCR resulted in potential violations against the HIPAA Rules (including failure to conduct an enterprise risk assessment, implement security measures including access controls and technical policies and procedures). In addition, Excellus agreed to undertake a corrective action plan around its security management process, policies and procedures and two years of monitoring.

Notebooksbilliger.de

In January 2021, Lower Saxony’s Data Supervisory Authority (LfD Niedersachsen) issued a €10.4 million fine against Notebooksbilliger.de, a German electronics retailer, for noncompliance against the general data processing principles and insufficient legal basis for data processing. Notebooksbilliger.de had monitored its employees for two years to prevent and investigate criminal offenses and track the flow of goods in the warehouse. This monitoring of its employees (and customers) was carried out without any legal basis for data processing. In addition, the video recordings were kept for over 60 days, which is significantly longer than necessary (and in violation of the Storage Limitation Data Principle) of the GDPR. Note: as of Jan. 8, 2021, the fine was not yet legally binding, and Notebooksbilliger.de had legally designed its video surveillance while providing evidence of such to LfD Niedersachsen.

Vodafone Espana, S. A.U

In March 2021, the Spanish Data Protection Authority (AEPD) issued an €8.15 million fine against Vodafone, a telecommunications giant, for violations against the GDPR and other related laws within Spain. The fine was as a result of the following violations identified during the investigation:

Several complaints were filed against Vodafone’s unsolicited marketing activities such as SMS, calls and emails. Customers had exercised their rights to object to certain processing, yet Vodafone did not comply with ceasing such processing.  Vodafone did not implement appropriate technical and organizational measures (also covering data processors who process personal data on its behalf). Vodafone performed an international personal data transfer to an entity in Peru without ensuring that mandatory contractual clauses for transfer of personal data to processors in third world countries were included in its contractual agreement. Vodafone generated random numbers and addresses and then contacted individuals who did not consent to marketing activities.

Industry-Specific Regulations (e.g., New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies, Securities Act of 1933, Exchange Act of 1934 etc.)

National Securities Corporation

In April 2021, NYDFS issued a $3 million fine to National Securities Corporation for violations against the NYDFS Regulation. During its investigations, NYDFS noted that National Securities was subject to four cybersecurity incidents between 2018 and 2020, out of which two of the incidents were not reported to NYDFS during the 72 hours as required by the NYDFS Regulations. These cybersecurity incidents involved unauthorized access to employees’ email accounts, including the chief financial officer and clients’ information, resulting in an unauthorized transfer of funds from customers. In addition, National Securities provided a certificate of compliance attesting to its compliance with the NYDFS Regulation for the calendar year 2018 as required. This certificate of compliance was false as National Securities did not implement several security controls such as multi-factor authentication (MFA), access controls.

First American Financial Corporation

In June 2021, the U.S. SEC settled charges against the real estate settlement services company First American for violations against the disclosures requirements regarding cybersecurity risk and incidents of the commission statement and guidance on public companies. First American agreed to a cease-and-desist order and to pay a penalty of $487,616 to SEC. In 2019, First American was notified of a vulnerability affecting its application used for sharing personally identifiable information (PII) and sensitive information of its clients dating back to as far back as 2003 by a cybersecurity company. The vulnerability allowed over 800 million documents related to real estate transactions to be publicly available over its website without authorization. Shortly after the story about the vulnerability was published, First American issued an 8-K filing with the SEC stating that First American was not aware of the vulnerability. However, during SEC’s investigation, it was noted that the vulnerability was identified by First American’s information security team months before during an internal audit; however, the security team failed to remediate the vulnerability in a timely manner as defined in the company’s policy. In addition, they were unable to notify senior management of the vulnerability. First American is also required to comply with the NYDFS regulations. Therefore, this vulnerability and breach violate several requirements per the NYDFS Regulations. Investigations by NYDFS are still ongoing.

Pearson Plc

In August 2021, the U.S. SEC settled charges against Pearson Plc, a publishing and education company, for violations against the disclosures requirements in the commission’s statement and guidance on the public company regarding cybersecurity risks and incidents. Pearson Plc. agreed to a cease-and-desist order and to pay a penalty of $1 million to SEC. In 2019, Pearson announced that it was notified by the Federal Bureau of Investigation (FBI) that it was a cyberattack target that resulted in a data breach of PII in 2018. This data breach affected over 13,000 school and university accounts, mostly in the United States, via its student monitoring and assessment platform, AIMSweb. However, per investigations by the SEC, it was noted that Pearson made misleading statements about the data breach. In July 2019, during its semi-annual reporting, Pearson had referred to the data breach as a hypothetical risk when the data breach had already occurred, and they were already notified. In addition, Pearson had mentioned that it had strict cybersecurity controls in place when the vulnerability which led to the exposure of the personal data was not remediated until six months after they were notified. Pearson also failed to mention that the PII of students was stolen during the attack.

Lawsuits

Zoom Video Communications (Zoom)

In July 2021, Zoom agreed to pay $85 million to settle a class action suit filed alleging that it violated users’ privacy rights by not providing encryption security, sharing users’ PII without notice or consent with companies such as Facebook, Google etc. and also failing to protect users (and zoom meetings) from unauthorized interruptions (“zoom bombing”). Per the settlement terms, all subscribers who paid for an account will be eligible to receive 15% of the subscription fee or $25, which is greater. Other zoom users are eligible to claim $15. In addition, Zoom agreed to make some changes to improve users’ security and privacy concerns, including updating its privacy notice to indicate that user data can be shared via third-party software and educating its users about the security features. The proposed settlement is scheduled to be approved on Oct. 21, 2021.

Minted Inc.

In May 2021, Minted (a U.S.-based marketplace) agreed to establish a $5 million settlement fund to settle a class-action suit filed for violations against the California Consumer Privacy Act (CCPA) by failing to take reasonable steps in protecting consumer data, detecting the data breach and also notifying customers on time. In 2020, Minted was a cyberattack target that resulted in a data breach and the exposure of over 4.1 million PII of customers and the eventual sale of the records on the dark web by a hacking group named Shiny Hunter. Three weeks after Minted was notified of the sale of their records online, they notified their customers that they were affected by a cyberattack. Per the settlement terms, subscribers affected in the data breach will receive up to $43 and two years of credit services, including credit monitoring, fraud alerts and identity restoration services. In addition, Minted will implement several changes to improve users’ security and privacy concerns, including conducting a cybersecurity audit to ensure compliance with System and Organization Control 2 (SOC 2) for the next two years. The final approval hearing is scheduled to be held on Dec. 2, 2021.

Compliance with the law

In conclusion, organizations need to review their all data processing activities and ensure that they are in line with the requirements of relevant laws such as legal basis for processing, data subjects rights, management of data processors and international data transfers. They also need to implement an information security program following an assessment of their IT risks including cybersecurity and data privacy. In addition, organizations should conduct regular security assessments to identify and remediate security controls gaps in a timely manner.  Today, organizations are also exposed to compliance risk resulting from violations of laws, regulations and codes of conduct. It is important to perform compliance risk assessments to identify, prioritize and controls risks related to noncompliance that could lead to fines or penalties.  

Sources