A coalition of 15 state Attorneys General recently settled with Adobe Systems, Inc. for $1,000,000 to address allegations that Adobe’s security measures were too lax and led to a 2013 breach affecting the personal information of 534,000 individuals. The incident occurred when an unauthorized party compromised a public-facing Adobe server and exfiltrated personal information stored on Adobe’s network. Adobe discovered the issue after investigating the party’s later attempt to decrypt information stored on Adobe’s servers. The Attorneys General alleged that Adobe failed to employ reasonable security measures to protect the personal information on its systems, in violation of the representative states’ consumer protection and personal information safeguard statutes. Namely, the Attorneys General took the position that Abode did not have a mechanism in place to promptly detect and respond to unauthorized activity within its systems. The Attorneys General further alleged Abode may not have had safeguards in place to prevent the unauthorized exfiltration of information from its network.

In addition to the settlement amount, Abode agreed to take action on a number of data security measures. In particular, Abode agreed to maintain reasonable security policies and procedures to protect the personal information under its purview and implement ongoing security monitoring measures, including penetration testing and risk assessments.

TIP: This case serves as a reminder that State Attorneys General may group together to pursue a company for its alleged insufficient security measures when the company suffers a data breach.