Adobe Systems, Inc., reached a $1 million deal with 15 state attorneys general after a security breach allowed hackers to access the personal information of roughly 552,000 consumers in those states.
In September 2013, Adobe learned that an unauthorized attempt was made to decrypt encrypted customer payment card numbers that were maintained on an application server. A subsequent investigation by the company revealed that hackers had compromised a public-facing Web server to access other servers on Adobe's network in order to steal data.
As a result of the attack, the hackers obtained consumers' names, addresses and telephone numbers, usernames, e-mail addresses, encrypted passwords associated with the usernames, plain text password hints, and encrypted payment card numbers and expiration dates.
The AGs stepped in and accused Adobe of failing to employ reasonable security measures to protect its systems and customer information in contravention of the company's representations to consumers that it would take reasonable steps to protect their personal information.
Although Adobe denied the allegations, the company elected to reach a deal with the AGs from Connecticut, Arkansas, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Missouri, Minnesota, Mississippi, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont. Pursuant to an Assurance of Voluntary Compliance, the company will pay $1 million to be divided among the 15 states.
Adobe also promised to comply with the various states' consumer protection statutes, maintain reasonable security policies and procedures designed to protect personal information, and not make any false representations to deceive or mislead consumers about the safeguarding of personal information. The company will review its policies and procedures at least twice annually, train relevant employees, and perform ongoing risk assessments and penetration testing.
In addition, various remedial steps were already taken in response to the breach, including adding a two-factor authentication for affected servers, implementing additional network sensors, increasing monitoring on servers containing and processing customer account information, and restricting access to certain servers.
A report prepared by an independent third-party auditor on Adobe's security practices with regard to personal information will be shared with the state AGs, along with a certification of its compliance with the Assurance.
"Consumers should have a reasonable expectation that their personal and financial information is properly safeguarded from unauthorized access," Connecticut AG George Jepson said in a statement about the action. "Companies have a responsibility to consumers to protect their personal information, and this settlement will ensure Adobe establishes stronger safeguards in the future," added Illinois AG Lisa Madigan.
To read the Assurance of Voluntary Compliance in In the Matter of Adobe Systems, Inc., click here.
Why it matters: The action is yet another example of the fallout companies can experience in the wake of a data breach or hacking attack. In addition to the agreement with the state attorneys general, the Assurance left open the door for consumer class actions by expressly stating that it shall not be construed to "waive or limit any private right of action."