By Nicole D. Prysby, J.D.
The Fed and OCC announced consent orders including an $80m penalty with Capital One over the data breach announced by the bank in 2019.
The Federal Reserve Board and Office of the Comptroller of the Currency have announced enforcement actions against Capital One Financial Corporation over the data breach that gained unauthorized access to the personal information of approximately 100 million persons in the U.S. Capital One signed consent orders with both agencies. The cease and desist order with the Fed requires the bank’s board of directors to submit plans to improve risk management and oversight. The consent orders with the OCC include a civil money penalty of $80 million and a cease and desist order requiring the bank to establish a compliance committee, a comprehensive action plan to implement corrective actions, and a plan to improve oversight of the bank’s cloud operating environment information security program.
Capital One announced a data breach in which an individual outside the corporation gained unauthorized access to the personal information of approximately 100 million persons in the U.S. who had applied for its credit card products and to Capital One credit card customers. The largest category of information accessed was for consumers and small businesses and included personal information such as names, addresses, zip codes, postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Portions of data on Capital One credit card customers also were accessed. Approximately 140,000 Social Security numbers of credit card customers and 80,000 linked bank account numbers also were obtained (see Banking and Finance Law Daily, July 30, 2020).
In August, the Fed announced a cease and desist order against Capital One as a result of the 2019 data breach. The cease and desist order requires the Capital One board of directors to submit a written plan to improve and strengthen oversight of Capital One’s risk management program, as well as governance and internal controls related to risk management, including an internal audit program. Capital One must also submit periodic progress reports.
Meanwhile, the OCC announced an $80 million civil penalty against Capital One, based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner. OCC and Capital One signed two consent orders. The first relates to the civil money penalty and explains that the bank’s failure to establish effective risk management procedures and identify weaknesses in its cloud operating environment caused it to be in noncompliance with 12 CFR Part 30, Appendix B, "Interagency Guidelines Establishing Information Security Standards." The second consent order is a cease and desist order relating to additional actions to be taken by the bank’s board of directors. These actions include creating a compliance committee, a comprehensive action plan to implement corrective actions, and a plan to improve oversight of the bank’s cloud operating environment information security program. The bank must also develop a risk assessment plan, a cloud operations risk management plan, and plans to improve independent risk management of the cloud operating environment and internal controls and audits.
Companies: Capital One Financial Corporation
MainStory: TopStory CreditDebitGiftCards CyberPrivacyFeed EnforcementActions GCNNews IdentityTheft Privacy Enforcement
Interested in submitting an article?
Submit your information to us today!Learn More
Banking and Finance Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.