Lessons from Adobe’s State AG Data Breach Settlement

Last month, several state Attorneys General announced a $1M settlement with Adobe Systems, Inc. in connection with a 2013 data incident involving the personal information of roughly 534,000 consumers. The 15 Attorneys General alleged that the software vendor failed to provide reasonable security safeguards, an allegation Adobe denied in the settlement agreement executed by the parties. The settlement provides closure for the company but it also provides a reminder to industry that state enforcers – in addition to the FTC -- are closely eyeing the adequacy of security safeguards in software products and services.

Background. Sometime in September 2013, an unauthorized third party accessed and removed customer order information from Adobe’s systems. The information included names, addresses and telephone numbers, usernames, email addresses, encrypted passwords, plain text password hints, and encrypted payment card numbers and payment card expiration dates (PI). Adobe stated that there is no evidence that decrypted payment card data were pulled from its systems and presented an extensive list of remedial measures it took in response to the breach. However, the Attorneys General believed that the risk of unauthorized access was reasonably foreseeable, noting that when the third party exfiltrated the PI, Adobe did not immediately detect it. Adobe’s actions, according to the Attorneys General, ran counter to its promise to consumers that it would take reasonable steps to protect PI.

Settlement Details. This investigation involved 15 Attorneys General representing the states of Connecticut, Arkansas, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont. In addition to a $1M civil penalty payment, Adobe agreed to certain PI-specific safeguards including, training relevant employees regarding security practices, performing ongoing risk assessments and penetration tests, segregating payment card information, and employing tokenization. Adobe also must provide an audit report regarding its security practices relating to PI.

It’s interesting that this settlement concerns an alleged security breach that occurred over three years ago, and indeed underscores the long tail of consequences that a company can face after it incurs a reportable breach involving personal information. This action, and the over 100 privacy and security enforcement actions by the FTC, are a good reminder to review settlements such as this one to understand state expectations on reasonable security,” and what constitutes a reasonably foreseeable risk. Helpful resources also include the FTC’s new business guidance on data security breaches, which we covered in a previous post, and earlier guidance on protecting personal information.