Last week, attorneys general in 15 states announced a $1 million settlement with Adobe Systems Inc. (“Adobe”), concluding a multistate investigation related to a 2013 breach of Adobe customer data. The breach, which was announced to the public by Adobe in September 2013, involved the attempted theft of encrypted personal information of approximately 552,000 residents of the participating states. Upon discovery of the breach, Adobe acted to block the decryption of the information and disconnect the breached server from its network. Adobe also took action to protect those impacted by the breach, including notifying those consumers impacted, automatically resetting impacted account passwords, and offering those individuals one year of free credit monitoring.
In addition to the payment, the settlement requires that Adobe implement reforms to prevent future data breaches. In announcing the settlement, a number of attorneys general noted that the investigation determined that “Adobe did not use reasonable security measures to protect its systems from an attack and did not have measures in place to immediately detect an attack.”
Takeaway: Corporations that collect personally identifiable information must remain vigilant to the serious, constant threat posed by data breaches. Companies should ensure that they have policies and practices in place to address a data security incident, including plans to notify consumers, and openly engage with government agencies to assist in protecting the public.