Lessons from Adobe Systems’ Million Dollar Privacy Settlement with Kentucky’s Attorney General
We’ve written before that if your business collects personal information, you not only need to do your best to protect that information, you better be careful not to promise more security than you can deliver.
A recent regulatory settlement agreement with tech giant Adobe Systems illustrates our point while offering a helpful checklist of best practices for cybersecurity any business can use to evaluate its own electronic hygiene.
In September 2013 Adobe discovered an unauthorized attempt to unscramble encrypted credit card numbers housed on one of its servers. Adobe stopped the hack, disconnected the server from the Internet, and investigated.
The company discovered an attacker had penetrated a public-facing web server then burrowed laterally into other servers on Adobe’s corporate network. The attacker was able to steal data, including customer names, addresses, encrypted passwords, password hints, and the encrypted payment card numbers.
After the breach was publicized, several state Attorneys General (led by Connecticut’s) collaborated in an investigation of Adobe’s security measures, leading them to conclude the risk of unauthorized access through the public-facing server had been reasonably foreseeable to Adobe. Moreover, the AGs concluded Adobe had failed to honor its own representations to customers that it would take reasonable steps to protect the information that was stolen.
Adobe denied all these claims, and said there was no evidence any of the decrypted payment card numbers were ever removed or exploited, but recently agreed to pay $1 million in settlement of the investigation.
The company also agreed to “maintain reasonable security policies and procedures designed to protect Personal Information.” Remedial steps Adobe implemented after the breach included:
- Enforcing two-factor authentication on affected servers
- Segregating some websites to 3rd party services that do not have access to Adobe’s internal network
- Adding monitoring alerts and sensors, plus network blocks for indicators of compromise
- Resetting all administrative passwords and implementing network access control lists
- Implementing tokenization for all card numbers processed using Adobe’s merchant ID
This remediation reflects some of the basic cyber-hygiene practices many businesses have failed to implement. And that’s a mistake that could prove costly.
As we’ve discussed in other contexts, cybersecurity best practices, even when voluntary, have a way of becoming the common law governing disputes between businesses and customers. FFIEC cybersecurity guidance for financial institutions is a memorable example. And regulators often weigh such practices against corporate promises when deciding whether to bring enforcement actions.
One final takeaway from the Adobe settlement: the company has agreed not to make any future representations that “have the capacity, tendency, or effect of deceiving or misleading on consumers in connection with the safeguarding of Personal Information.” Consider this question: would your business be able to uphold this representation now? If the answer is uncertain, contact a member of SKO’s Privacy and Information Security Practice.
Meanwhile, here are a few tips to consider if you communicate to customers about protecting their data.
- Use specific language to describe security measures, unless naming a specific standard could itself compromise security.
- Realize that you must be accurate in your online statements, not only when the language is initially used, but each time that the online contract or privacy policy is accessed by a user.
- Understand the state of the art in network security is evolving, so if you want to refer to an industry standard, be specific, if possible, and know the use of the terminology means that you must constantly update security so that your statement is accurate at all times.
And think about other places where you make statements about your capabilities, like marketing collateral.