Data Security Company Settles State Claims Arising from Data Breach

A data security company settled claims brought by a multistate coalition of Attorneys General ("AGs") for failing to disclose theft of customer data resulting from a cyberattack. (See also, related SEC enforcement action).

The AGs initiated an investigation of the company after a 2020 data breach involving sensitive data related to donors and various non-profit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations and cultural organizations. According to a release issued by the New York State Attorney General, the AGs determined that the company (i) "failed to implement reasonable data security and fix known security gaps, which allowed unauthorized persons to gain access to [the] network," and (ii) "neglected to provide its customers with timely, complete, or accurate information regarding the breach, as required by law." The AGs stated that "notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all," and that the company "downplayed the incident and led its customers to believe that no notification was required."

In an Assurance of Voluntary Compliance Agreement, the New York Attorney General stated that the company violated unfair or deceptive acts and practices law (a/k/a the "Consumer Protection Law"), personal information protection law, data breach notification law and the federal Health Insurance Portability and Accountability Act of 1996 ("HIPPA"). Similar agreements were simultaneously entered into by other state AGs. To settle the charges, the company agreed to (i) implement a written response plan regarding security incidents, (ii) maintain a comprehensive information security program and (iii) pay $49,500,000 to be divided among the AGs at their discretion.