Link Search Menu Expand Document
Cybersecurity Research
  1. II. BACKGROUND ON DATA SECURITY IN THE FINANCIAL SERVICES INDUSTRY
    1. A. Data Breaches and Their Far-Reaching Impact
    2. B. How Prevalent Are Data Breaches?

II. BACKGROUND ON DATA SECURITY IN THE FINANCIAL SERVICES INDUSTRY

A. Data Breaches and Their Far-Reaching Impact

A data breach is an unauthorized entry into a database which allows hackers access to consumer information.30 Breaches have the potential to compromise highly sensitive personal information including: Social Security numbers, credit card numbers, banking information, and passwords.31 System vulnerabilities allow hackers to invade these databases.32 The standard assumption is that these hackers are motivated

24. See infra Part II.

25. See infra Part III.

26 See infra Part IV.

27. See infra Part V.

28. See infra Part VI.

29. See infra Part VII.

30. See Nicole Martin, What Is a Data Breach? FORBES (Feb. 25, 2019, 12:27 PM), https://www.forbes.com/sites/nicolemartin1/2019/02/25/what-is-a-databreach/#70dd67ba14bb [https://perma.cc/3MJW-VXSV] (defining the term data breach and examining the biggest data breach cases across different industries).

31. See id. (explaining that these sensitive sources of information are exploited by cybercriminals for identity theft and other forms of fraud).

32 See 4 Types of Data Breaches You Need to Know, INTERNOS (Oct. 2, 2019), https://www.gointernos.com/the-4-types-of-data-breaches-you-need-to-know/ [https://perma.cc/3FBB-9PVN] (discussing the four major types of data breaches: malware, phishing, ransomware, and denial of service).

by financial gain.33 While evading the risk of prison or federal prosecution, “smart” hackers can make thousands, or even millions, of dollars.34 Targeted criminal activity is the source of numerous breaches.35 However, the majority of data breaches are actually caused by human or system error.36 Human error occurs when employees access data without authorization, handle information or hardware improperly, or violate federal or industry regulations.37 System error happens when a large amount of data is inadvertently transferred from one system to another.38 Regardless of the type of error, breaches can have devastating impacts,39 especially if they are not discovered quickly.40

Data breaches may go undetected for weeks and even months,41 despite the fact that a data breach occurs nearly everyday.42 In the financial services industry, it takes an average of 233 days to identify and contain a breach.43 In the meantime, stolen personal information can

33. See Joseph F. Yenouskas & Levi W. Swank, Emerging Legal Issues in Data Breach Class Actions, A.B.A. (July 17, 2018), https://www.americanbar.org/groups/business_law/publications/blt/2018/07/data-breach/ [https://perma.cc/5BJ4-NFBK] (“[E]xisting case law is largely based on the assumption that hackers steal PII [or personally identifiable information] for financial gain, even though hackers are increasingly motivated by non-commercial ends, such as activism, blackmail, or espionage.”).

34. See James Lewis, Economic Impact of Cybercrime: No Slowing Down, MCAFEE 4 (Feb. 2018), https://www.mcafee.com/enterprise/en-us/assets/reports/restricted/rp-economicimpact-cybercrime.pdf [https://perma.cc/FW2S-9SW2] (“A smart cybercriminal can make hundreds of thousands, even millions of dollars with almost no chance of arrest or jail.”) (emphasis added).

35. See Rachael M. Peters, Note, So You’ve Been Notified, Now What? The Problem with Current Data-Breach Notification Laws, 56 ARIZ. L. REV. 1171, 1174 (2014) (“[T]wo-thirds of data breaches are actually caused by human or system error.”).

36 See id.

37 See id. (explaining the various ways in which human error can lead to a data breach).

38.* See id.* (explaining the various ways in which system error can lead to a data breach).

39. See id. (discussing huge data breaches that occurred within Target, Home Depot, and JP Morgan Chase).

40. See Aimee O’Driscoll, 30+ Data Breach Statistics and Facts, COMPARITECH (Dec. 10, 2020), https://www.comparitech.com/blog/vpn-privacy/data-breach-statistics-facts/ [https://perma.cc/4L2V-NWJQ] (revealing that data breach disclosure reports may be inaccurate given that many breaches go undetected).

41.* See* PONEMON INST., 2020 Cost of a Data Breach Report, 54 (2020), https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/pdf [https://perma.cc/6BNC-7BJF] (analyzing data breaches that occurred between August 2019 and April 2020, showing that it takes approximately 280 days (depending on industry) to identify and contain a breach).

42. See Peters, supra note 35, at 1172 (“Hardly a day passes without a data breach, and many remain undiscovered for months or even years.”).

43 PONEMON INST., supra note 41, at 54.

travel to black markets or the dark web.44 Moreover, data breaches do not affect all industries equally: the financial services industry is disproportionately impacted.45 In fact, a spokesperson for the Securities and Exchange Commission declared cyberattacks on financial institutions to be “the most pressing issue in corporate governance today.”46 Compared to other industries, banks have more to lose when a breach occurs.47

Data breaches expose banks to financial, reputational, and legal risks.48 It is becoming increasingly common for banks to pay millions of dollars in settlements with regulators and then implement new security protocols after a breach.49 Incidents that compromise consumers’

44. See, e.g., Jay P. Kesan & Carol M. Hayes, Liability for Data Injuries, 2019 U. ILL. L. REV. 295, 349 (2019) (discussing the existence of a black market for personal consumer financial information); Doug Shadel & Neil Wertheimer, Is My Identity on the Dark Web? AARP (Sept. 4, 2018), https://www.aarp.org/money/scams-fraud/info-2018/what-is-thedark-web.html [https://perma.cc/B9YS-WE5D] (detailing the takedown of a deep web website, AlphaBay, which had listings for 4,488 stolen identification numbers and 28,800 stolen credit card numbers); Darren Guccione, What is the Dark Web? How to Access it and What You’ll Find, CSO (Nov. 18, 2020, 3:00 AM), https://www.csoonline.com/article/3249765/what-is-the-dark-web-how-to-access-it-andwhat-youll-find.html [https://perma.cc/CQ7H-7G83] (stating that the dark web is a part of the internet that is invisible to search engines where “[y]ou can buy credit card numbers, all manner of drugs, guns, counterfeit money, stolen subscription credentials, hacked Netflix accounts and software that helps you break into other people’s computers”).

45. See Kesan & Hayes, supra note 44, at 303–04 (“[T]he finance and insurance industries had the highest number of total [data breach] incidents at 5,512.”).

46 See Robert J. Jackson, Jr., Corporate Governance: On the Front Lines of America’s Cyber War (Mar. 15, 2018), https://www.sec.gov/news/speech/speech-jacksoncybersecurity-2018-03-15 [https://perma.cc/7J39-56K8] (discussing how the increasing digital transformation in the United States has given rise to a growing cyber threat).

47. See Dan Ennis, Banks Have More to Lose from Data Breaches Than Other Companies, BANKING DIVE (Sept. 4, 2019), https://www.bankingdive.com/news/bank-data-breachtimely-direct-response-experian/562209/ [https://perma.cc/NVJ2-QKK2] (reporting that survey evidence indicates that financial institutions are at a greater risk to lose their reputation and consumers when a breach occurs in comparison to other industries).

48. See Christina Parajon Skinner, Bank Disclosures of Cyber Exposure, 105 IOWA L.REV. 239, 249 (2019) (explaining how banks may be required by federal securities law to publicly disclose operational risks such as data breaches); see also Ennis, supra note 47 (examining how banks’ consumer base and reputation are on the line when a data breach occurs).

49. See Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach, FED. TRADE COMM’N. (July 22, 2019), https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-partsettlement-ftc-cfpb-states-related [https://perma.cc/N4HQ-TYBX] [hereinafter Equifax to Pay $575 Million] (examining the details of Equifax’s proposed $575 million settlement agreement with the Federal Trade Commission, Consumer Financial Protection Bureau, and U.S. states and territories as a result of Equifax’s 2017 data breach); see also Kevin Wack, Capital One to Pay $80M in Connection with Massive Data Breach, AM. BANKER (Aug. 6,

personal information are the most costly, and most common, type of breach.50 Further, the reputation of the bank is on the line when it experiences a data breach, regardless of the severity or scope of the breach.51 It is well documented that data breaches do irreparable harm to consumer trust.52 Following Equifax’s 2017 breach, consumer data showed the company to be the least trusted of the three major credit reporting agencies.53 In fact, lost business profits resulting from the lack of consumer trust—like customer turnover and efforts directed at acquiring new customers—account for approximately 40% of the average total cost of a breach (a whopping $1.52 million).54

2020, 12:30 PM), https://www.americanbanker.com/news/capital-one-to-pay-80m-inconnection-with-massive-data-breach [https://perma.cc/Y5NJ-CRTR] (disclosing details of Capital One’s $80 million settlement with the Office of the Comptroller of the Currency following the bank’s 2019 data breach, including the requirement that Capital One develop new cybersecurity action plans).

50. See PONEMON INST., supra note 39, at 8 (“Customers’ personally identifiable information (PII) was the most frequently compromised type of record, and the costliest, in the data breaches studied.”).

51. See, e.g., Consumer Intelligence Series: Protect.me, PWC at 3 (2017), https://www.pwc.com/us/en/advisory-services/publications/consumer-intelligenceseries/protect-me/cis-protect-me-findings.pdf [https://perma.cc/9Y5U-RPM9] [hereinafter Consumer Intelligence Series] (reporting that 85% of consumers will not do business with a company that has dubious security practices); see also 81% of Consumers Would Stop Engaging with a Brand Online after a Data Breach, Reports Ping Identity, BUS. WIRE (Oct. 22, 2019, 8:00 AM), https://www.businesswire.com/news/home/20191022005072/en/81-ofConsumers-Would-Stop-Engaging-with-a-Brand-Online-After-a-Data-Breach-ReportsPing-Identity [https://perma.cc/J7VA-ZZ9] [hereinafter 81% Would Stop Engaging after a Data Breach] (reporting that 81% of survey respondents would stop engaging in business with a company that suffered a data breach); Ennis, supra note 47 (“[F]inancial services companies have more to lose — both in reputation and customer base — than do other businesses.”).

52. See, e.g., Consumer Intelligence Series, supra note 51, at 3 (providing statistics on how consumers expect regulators and companies to safeguard their data); 81% Would Stop Engaging after a Data Breach, supra note 51 (using statistical data to show that consumers may abandon a brand if their personal data was not protected by the company); Ennis, supra note 47 (“[Sixty-six percent] of people surveyed said they would stop doing business with a company that had a slow or ineffective response to a data breach and would switch to a competitor. And 45% said they would tell their family and friends to stop doing business with the company.”).

53. See Sabrina Karl, Consumer Trust in Equifax Sinks after Data Breach, CREDITCARDS.COM (Mar. 26, 2018), https://www.creditcards.com/credit-card-news/equifaxconsumer-trust-after-breach/ [https://perma.cc/LS3S-TRVA] (reporting that, after the Equifax breach, 28% of surveyed consumers did not trust Experian, 27% did not trust TransUnion, and a whopping 40% of consumers did not trust Equifax).

54. PONEMON INST.,supra note 39, at 10.

Another painful repercussion on a bank’s reputation stems from attacks on its credibility.55 A breach may lead to doubts of the breached bank’s ability to protect its depositors.56 This mistrust can produce a “trickle-up” panic effect, in which panic amongst depositors triggers a panic amongst lenders.57 A breach can halt the “operational resilience” of a bank, damaging its ability to transfer credit or facilitate payments.58 The inability of a bank to function properly could stall economic activity, making lenders anxious.59 The activity of worried lenders—who doubt the resiliency of the bank—might result in higher margins on the bank’s collateral and cause a drop in the value of its assets.60

On the legal side, breaches expose banks to potential class action lawsuits from affected customers.61 The degree of data protection varies from state-to-state, as do the penalties.62 Regardless, each state, at the

55. See Skinner, supra note 48, at 272 (“The public has a strong interest in the uninterrupted provision of the critical economic services that these big banks provide—payments, credit intermediation, and the provision of demand-deposit services. A cyberattack could threaten any or all of these functions at once.”).

56. See id. (“An attack directed to a bank’s infrastructure could, for instance, halt its ability to facilitate payments; an attack could also constrict the transfer of credit between financial institutions, or from banks to the real economy—any of these scenarios could bring real economic activity to a crawl or total halt. A cyberattack . . . could also be viewed by markets as a serious reputational event, which could incite depositor panic.”).

57. See id. at 272 (discussing how stalled economic activity could contribute to serious reputational harm to a bank).

58. See id. (“A bank’s operational resilience is a public good, too. The public has a strong interest in the uninterrupted provision of the critical economic services that these big banks provide—payments, credit intermediation, and the provision of demand-deposit services. A cyberattack could threaten any or all of these functions at once.”).

59. Id.

60. Id.; see Christina Parajon Skinner, Regulating Nonbanks: A Plan for SIFI Lite, 105 GEO. L.J. 1379, 1421 (2017) (“A technological event (like a cyberattack or systems glitch or failure) also implicates run-risk insofar as the market could perceive an operational event as a reputational event, inciting panic. And operational events could lead to counterparty losses to the extent they prompt demands for higher margins on collateral (or the calling in of callable assets).”).

61. See Yenouskas & Swank, supra note 33 (examining how data breaches have led to a plethora of class action lawsuits).

62. See Cathy Cosgrove, CCPA Litigation: Shaping the Contours of the Private Right of Action, INT’L ASS’N OF PRIV. PROS. (June 8, 2020), https://iapp.org/news/a/ccpa-litigationshaping-the-contours-of-the-private-right-of-action/ [https://perma.cc/95WN-WSSB] (stating that California goes further in its data protection laws than other states by offering a private right of action to injured consumers); see also THE DEFINITIVE GUIDE TO U.S. STATE DATA BREACH LAWS, DIGIT. GUARDIAN 1, 1 (2018), https://info.digitalguardian.com/rs/768- OQW-145/images/the-definitive-guide-to-us-state-data-breach-laws.pdf [https://perma.cc/7SLW-5P8Z] (reporting that many states impose civil penalties on companies that experience a breach).

minimum, has its own consumer notification requirements in the event of a data breach.63 Thus, the burdens of a breach are compounded when a bank has to investigate the different state laws pertaining to affected customers to determine the legal guidelines for proper consumer notification.64 That is, of course, assuming that a bank chooses to notify its consumers of the breach.65

The harm suffered from a breach extends far beyond the breached entity—it also affects the breached subjects.66 The effects of a data breach encompass both tangible and psychological harms for its victims.67 For consumers, financial injuries are frequently the most visible harms suffered as a result of a data breach.68 Data harms have led to consumers losing their homes, filing for bankruptcy, having their utilities cut off, and incurring legal fees to recover damages resulting

63. See Ieuan Jolly, Data Protection in the United States: Overview, WESTLAW (database current June 8, 2020) (providing a high-level overview of federal and state data protection laws).

64. See Peters, supra note 35, at 1174–75 (explaining that state laws differ in its notification requirements and that it can be extremely burdensome for banks to comply with every state law pertaining to its breached consumers); see generally Jolly, supra note 63 (discussing the inconsistency of state laws regulating personal data collection, and how federal and state laws often “overlap, dovetail, and contradict one another”).

65. See 10,000 Breaches Later: Top Five Financial, Credit and Banking Data Breaches, IDENTITY THEFT RES. CTR. (Nov. 12, 2019), https://www.idtheftcenter.org/10000-breacheslater-top-five-financial-credit-and-banking-data-breaches/ [https://perma.cc/L4E4-CGTD] (stating that JP Morgan Chase did not send out notification letters to scores of customers affected by its 2014 breach, which exposed personal information of seventy-six million households and seven million businesses). But see Kevin Wack, Bank Regulators Mull Stricter Rules for Reporting of Data Breaches, AM. BANKER (Dec. 14, 2020, 3:09 PM), https://www.americanbanker.com/news/bank-regulators-mull-stricter-rules-for-reporting-ofdata-breaches [https://perma.cc/7YSL-DBMW] (discussing a potential push for new rulemaking by federal banking agencies, which would require banks to promptly report cyber security intrusions to their regulators).

66. See Max Meglio, Note, Embracing Insecurity: Harm Reduction Through a No-Fault Approach to Consumer Data Breach Litigation, 61 B.C. L. REV. 1223, 1227 (2020) (“Data breaches create substantial costs that are borne by data subjects, the breached entity, and other third-parties.”).

67. See Kesan & Hayes, supra note 44, at 347 (discussing how a data breach can encroach upon a consumer’s autonomy).

68 See id. at 303 (discussing how data breaches are most commonly viewed in light of their financial impact); see also Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data Breach Harms, 96 TEX. L. REV. 737, 755–56 (2016) (“Requiring harm to be visceral and vested has severely restricted the recognition of data-breach harms, which rarely have these qualities. Data-breach harms are not easy to see, at least not in any physical way. They are not tangible like broken limbs and destroyed property. Instead, the harm is intangible.”).

from a breach.69 However, the impact of a breach cuts even deeper—it also injures a person’s autonomy.70 Victims can experience fear, anxiety, and stress over data breaches.71 These psychological consequences may also have physical repercussions such as disturbances in sleep habits, trouble concentrating, aches, pains, headaches, and cramps.72 Data breaches have even driven victims to suicide.73

Data breaches are also a huge drain on the global economy.74 Richer countries are more affected by the costs associated with cybercrime.75 The United States suffers the highest financial costs for data breaches.76 On average, a U.S. bank suffers a loss of $3.86 million per data breach.77 Due to the shift to remote work caused by COVID-19, the average total cost of a data breach in the United States is expected to increase to $4 million in 2021 given the growing number of human and digital targets.78 Globally, the costs associated with cybercrime are

69. See Solove & Citron, supra note 68, at 756–57 (discussing ways in which a data breach can lead to financial ruin for consumers).

70. See Kesan & Hayes, supra note 44, at 347 (discussing an approach to digital harm which emphasizes the impact a breach has on a person’s autonomy).

71. See Kesan & Hayes, supra note 44, at 336–37 (“[D]ata breaches offend social order. Society recognizes that theft is wrong. But theft is about things, and data breaches are often about people. The injury is harder to observe. Injuries caused by data breaches are often more psychological in nature, like apprehension of future injuries.”).

72. See Jessica Guynn, Anxiety, Depression and PTSD: The Hidden Epidemic of Data Breaches and Cyber Crimes, USA TODAY, https://www.usatoday.com/story/tech/conferences/2020/02/21/data-breach-tips-mentalhealth-toll-depression-anxiety/4763823002/ [https://perma.cc/35JF-NTMF] (last updated Feb. 24, 2020, 9:18 AM) (discussing the psychological harms that data injury victims face in the aftermath of a data breach).

73. See, e.g., id. (revealing that some injured consumers committed suicide in the fallout of the Ashley Madison data breach); see also Laurie Seagall, Pastor Outed on Ashley Madison Commits Suicide, CNN BUS. (Sept. 8, 2015, 7:10 PM), https://money.cnn.com/2015/09/08/technology/ashley-madison-suicide/ (discussing the case of a pastor who committed suicide six days after hackers exposed the names of millions of consumers who used the Ashley Madison website, and how the pastor mentioned Ashley Madison in his suicide note).

74. See PONEMON INST., supra note 41, at 5–15 (breaking down the high costs of data breaches across the world, with the average total cost of a breach amounting to $3.86 million).

75. See Lewis, supra note 34, at 7 (reporting that the costs of cybercrime are unevenly distributed across the globe, with some countries affected more than others).

76. PONEMON INST., supra note 41, at 5.

77. Id.

78. See id. *at 9 (reporting that a remote workforce will increase the cost of a data breach from $3.86 million to $4 million); *see also Steve Morgan, Global Cybercrime Damages Predicted to Reach $6 Trillion Annually By 2021, CYBERCRIME MAG. (Dec. 7, 2018), https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/ [https://perma.cc/5FV3-MWT4] (discussing how there will be more digital targets due to an

expected to rise to $6 trillion annually in 2021.79 Cybercrime ultimately is a major threat to domestic and global economies because its ramifications touch everyone.80

B. How Prevalent Are Data Breaches?

Cyberattacks are the fastest growing crime in the United States.81 It is unlikely the rate of these attacks will decline given the growing number of consumers with “digital-first, branch second approach.”82 Indeed, the allure of digital banking has led the majority of consumers to prefer a digital relationship with their bank.83 With constant access to their accounts, consumers often find online banking more convenient than having to visit a brick-and-mortar location.84 Paying bills online is not only faster, but it also allows for recurring payments so consumers do not risk a penalty due to a forgotten bill.85 Certain advantages incentivize

increase in wearable digital devices like smart watches, fitness monitors, and body-worn cameras).

79. See Morgan, supra note 78 (discussing the increase in global cybercrime costs to $6 trillion in 2021, which is double the total global cost of $3 trillion in 2015).

80. See Lewis, supra note 34, at 4 (“Where cybercrime is the undisputed leader, however, is in its ability to make hundreds of millions of people victims. . . . Cybercrime is front-page news because it touches everyone.”).

81. See Morgan, supra note 78 (reporting that cybercrime costs are expected to increase in 2021).

82. See Brian Acton, How Millennials Are Changing Banking, POLICYGENIUS (Sept. 5, 2019), https://www.policygenius.com/blog/how-millennials-are-changing-banking/ [https://perma.cc/679M-JLF6] (examining the growing demand for digital banking platforms among millennials).

83 See Daniela Yu & Jon Hughes, Struggle for Banks: Migrating Customers to Digital, GALLUP (Oct. 27, 2016), https://news.gallup.com/businessjournal/196778/struggle-banksmigrating-customersdigital.aspx?utm_source=link_wwwv9&utm_campaign=item_237695&utm_medium=copy [https://perma.cc/LZT4-KP5B] (discussing how 56% of surveyed consumer bankers prefer using digital channels).

84. See Liz Knueven, Online Banking Isn’t Just for Millennials Anymore—it’s Quickly Becoming the Norm, BUS. INSIDER (Nov. 14, 2019, 2:13 PM), https://www.businessinsider.com/personal-finance/online-banking-gaining-popularityunited-states [https://perma.cc/BJ34-VP55] (examining how increasing numbers of millennials and Generation Z are using digital banking in comparison to baby boomers).

85. See Joe Young, The Pros and Cons of Online Banking, NASDAQ (Sept. 3, 2014, 8:39 AM), https://www.nasdaq.com/articles/pros-and-cons-online-banking-2014-09-03 [https://perma.cc/W47J-6GCT] (exploring how the advantages of online banking, such as automation and locational convenience, outweigh its disadvantages).

banks to foster this growing digitalization.86 For instance, with less overhead costs for operating a digital platform, banks can offer higher interest rates on checking and savings accounts in addition to lower fees.87 However, this digitalization puts consumer data at greater risk for cyberattacks.88

The increase in cyberattacks has led to rising costs in cybersecurity protection for banks.89 The financial services sector spends three times the amount on cybersecurity safeguards compared to other industries.90 Regulators agree that data breaches pose a systemic risk to a bank’s operational resilience.91 As a result, banks typically have safeguards in place including encryption, multifactor authentication, and biometric identity verification.92 However, these measures are not

86. See Knueven, supra note 84 (discussing the advantages for banks opting for online platforms as opposed to brick-and-mortar locations, including, but not limited to: lower fees, higher interest rates, and convenience).

87. See id. (“While brick-and-mortar banks have to spend money to keep their branches open, online banks don’t have that overhead. . . . [t]his is why online banks like Ally can offer financial products with big returns like high-yield savings accounts — compare Ally’s variable APY of about 1.7% to 2.2% to traditional banks’ .01% to .1% — and why the bank branch down the street can’t match that rate.”) (emphasis added).

88. See Jim Boehm et al., Safeguarding Against Cyberattack in an Increasingly Digital World, MCKINSEY (June 30, 2020), https://www.mckinsey.com/businessfunctions/mckinsey-digital/our-insights/safeguarding-against-cyberattack-in-anincreasingly-digital-world [https://perma.cc/ZXS2-VB2B] (discussing how the increasingly digitalized and automated world has made the threat of a data breach even more widespread).

89. See Michael McGinn, Cost of Cybercrime Continues to Rise for Financial Services Firms, According to Report from Accenture and Ponemon Institute, ACCENTURE (July 16, 2019), https://newsroom.accenture.com/news/cost-of-cybercrime-continues-to-rise-forfinancial-services-firms-according-to-report-from-accenture-and-ponemon-institute.htm [https://perma.cc/7ZA4-XDRR] (“The cost to address and contain cyberattacks is greater for financial services firms than for companies in any other industry and the containment costs continue to inch upwards[.]”).

90. See Lewis,* supra* note 34, at 9 (“Cybercrime imposes a heavy cost on financial institutions as they struggle to combat fraud and outright theft. One report says that banks spend three times as much on cybersecurity as non-financial institutions and there is agreement among bank regulators around the work that cybercrime poses a ‘systematic’ risk to financial stability.”).

91. Id.

92. See Meredith E. Bock, Note, Biometrics and Banking: Assessing the Adequacy of the Gramm-Leach-Bliley Act, 24 N.C. BANKING INST. 309, 309 (2020) (stating that banks have incorporated biometrics into their security systems); see also Business Data Security Guide (Measures, Risks & Precautions), SPIRION (Nov. 13, 2020), https://www.spirion.com/blog/business-data-security/ [https://perma.cc/5E5E-6BLN] (examining various data security measures businesses can take to mitigate the threat of a breach).

foolproof, especially when institutions neglect to patch vulnerabilities.93 Such neglect has led to two of the most significant breaches: Capital One and Equifax.94

Capital One is the United States’ fifth-largest consumer bank and the eighth-largest bank overall.95 On July 19, 2019, it discovered that a breach compromised the personal information of approximately a hundred million Americans and six million Canadians.96 The Office of the Comptroller of the Currency (“OCC”), the bank’s federal regulator, said the breach was linked to problems with Capital One’s cloud migration plan.97 While the breach occurred in 2019, vulnerabilities within the bank’s cloud migration plan dated back to 2015.98 Within those four years, Capital One not only failed to implement network security controls, but its internal audits also failed to identify the weaknesses in its cloud operating systems.99

Following the breach, Capital One faced steep regulatory fines, was subject to several class-action lawsuits, and its stock plunged.100

93. See Equifax to Pay $575 Million, supra note 49 (mentioning that Equifax had been forewarned about the fatal security error that led to the company’s 2017 breach); Wack, supra note 49 (discussing how problems with Capital One’s cloud migration plan dated back to 2015, and Capital One’s failure to remedy those problems contributed to the fateful 2019 breach).

94. See Equifax to Pay $575 Million, supra note 49 (discussing the details of Equifax’s $575–$700 million settlement); see also Wack, supra note 49 (“Capital One Financial has reached settlements . . . in connection with a 2019 hacking incident that resulted in a massive compromise of customer data.”).

95 Our Company, CAPITAL ONE, https://www.capitalone.com/about/corporateinformation/our-company/ [https://perma.cc/HJ77-WEN7] (last visited Sept. 22, 2020).

96 See Frequently Asked Questions, CAPITAL ONE (Sept. 23, 2019, 4:15 PM), https://www.capitalone.com/facts2019/2/ [https://perma.cc/Q3SM-VA2F] (stating that Capital One discovered on July 19, 2019 that hackers had gained unauthorized access and obtained personal information about Capital One customers and applicants who had applied to become Capital One credit card customers); see also Wack, supra note 49 (“The hack compromised personal data on roughly 100 million Americans, and approximately 6 million Canadians, who either have a Capital One credit card or have applied for one. Capital One has said that roughly 140,000 Social Security numbers were exposed, as were 80,000 bank account numbers.”).

97. Wack, supra note 49.

98. Id.

99. *Id. *

100. See Trefis Team & Great Speculations, How Could the Recent Data Breach Affect Capital One’s Stock?, FORBES (Sept. 11, 2019, 9:15 AM), https://www.forbes.com/sites/greatspeculations/2019/09/11/how-could-the-recent-databreach-affect-capital-ones-stock/#42ab79c137b7 [https://perma.cc/WE4T-4HZK] (reporting that Capital One’s stock has fallen from $100 per share to $85 per share after its 2019 breach, in addition to legal ramifications and penalties from its regulators).

Capital One notified all affected customers by mail and offered them two years of free credit monitoring.101 As required by its settlement, Capital One agreed to develop and implement additional cybersecurity protocols.102 The protocols included (1) appointing a compliance committee charged with sending periodic updates to the OCC, (2) proposing a “Comprehensive Action Plan” detailing its remedial actions, and (3) improving its cloud migration plan.103

Longstanding neglect also led the credit-reporting agency Equifax to suffer a massive data breach.104 Despite being alerted of a critical security vulnerability in March 2017, Equifax’s 225-person cybersecurity team failed to patch the network,105 and by July 2017, it was too late.106 Hackers invaded the vulnerable database and gained access to Equifax’s network, compromising the personal data of 147 million consumers in the United States.107 Unfortunately, the errors did not stop there.108 After the breach, Equifax accidentally directed users to

101. Frequently Asked Questions, supra note 96.

102. Wack, supra note 49.

103. See OCC Fines Capital One $80 Million for Cloud Security Violations Related to Cyber Breach, WILLKIE COMPLIANCE (Aug. 7, 2020), https://complianceconcourse.willkie.com/articles/news-alerts-2020-08-august-20200807-occ-fines-capital-one-80-million [https://perma.cc/D3M3-LSV3] (discussing how Capital One will have to appoint a Compliance Committee to submit updates to the OCC, develop a “Comprehensive Action Plan” detailing remedial actions, and submit risk assessment, audit, and oversight management reports to the OCC).

104. See Equifax to Pay $575 Million, supra note 49 (reporting that Capital One’s “failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people.”).

105. See Sarah Buhr, Former Equifax CEO Says Breach Boiled Down to One Person Not Doing Their Job, TECHCRUNCH (Oct. 3, 2017, 3:24 PM), https://techcrunch.com/2017/10/03/former-equifax-ceo-says-breach-boiled-down-to-oneperson-not-doing-their-job/ [https://perma.cc/8LH2-GK37] (examining the details of the Capital One data breach and the difficulty in holding its employees accountable for the breach).

106. See Equifax to Pay $575 Million, supra note 49 (discussing how Equifax finally discovered its critical security error in July 2017, where it discovered that cybercriminals had had access to consumers’ personally identifiable information for months).

107. See Equifax to Pay $575 Million, supra note 49 (“[H]ackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates.”).

108. See Selena Larson, Equifax Tweets Fake Phishing Site to Concerned Customers, CNN BUS. (Sept. 20, 2020, 4:17 PM), https://money.cnn.com/2017/09/20/technology/business/equifax-fake-site-twitterphishing/index.html [https://perma.cc/6K39-CFZ5] (examining how Equifax addressed customer service complaints and concerns relating to its 2017 breach, but in doing so, directed

a phishing site and retracted public statements multiple times—including a statement that previously said consumers could not sue the company.109 Consumer trust plummeted.110 Over half of Equifax consumers in one survey indicated that they no longer trusted the agency with their personal information.111The breach resulted in consumers experiencing anxiety, anger, and fear of data insecurity.112

As a result of this breach, Equifax paid out $575 million and potentially up to $700 million in its settlement with the Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFPB”), and every U.S. state and territory.113 In an attempt to address this, Equifax laid out a three-year plan to regain consumer trust.114 With $200 million invested in the plan, Equifax claimed that consumer trust would be restored by 2020.115 Survey data supports this claim, showing that consumers are slowly regaining trust in Equifax.116 Public opinion of

customers to the phishing site “securityequifax2017.com” instead of the legitimate site “equifaxsecurity2017.com”).

109. See id. (discussing how Equifax tweeted links to a fake website to customers asking for help and more information about the company’s 2017 breach); see also Buhr, supra note 102 (stating that, although Equifax had a 225-person cybersecurity team, no one on that team realized that “a patch for that vulnerability [that caused the breach] had been available for months before the breach occurred.”); Geraldine Strawbridge, 5 Ways to Identify a Phishing Website, METACOMPLIANCE (July 2, 2018), https://www.metacompliance.com/blog/5-waysto-identify-a-phishing-website/ [https://www.metacompliance.com/blog/5-ways-to-identifya-phishing-website/] (“Phishing continues to prove one of the most successful and effective ways for cybercriminals to defraud us and steal our personal and financial information.”).

110. See Karl, supra note 53 (“Consumer trust in Equifax sank after its 2017 data breach.”).

111 See id. (stating that Equifax became the least trusted of the three major credit reporting bureaus following the 2017 breach).

112. See Identity Theft Resource Center Sees Major Consumer Impacts One Year After the Equifax Breach, IDENTITY THEFT RES. CTR. (Sept. 10, 2018), https://www.idtheftcenter.org/identity-theft-resource-center-the-aftermath-equifax-one-yearlater/ [https://perma.cc/3A7K-N53W] (discussing how many victims of the Equifax breach felt adverse or negative emotions following the incident, including feeling anxious, violated and/or unsafe).

113. Equifax to Pay $575 Million, supra note 49.

114. See Alfred Ng, Equifax Has a Plan to Win Your Trust Back. It’ll Take Three Years. CNET (Aug. 10, 2018, 5:00 AM), https://www.cnet.com/news/equifax-has-a-plan-to-winyour-trust-back-itll-take-three-years/ [https://perma.cc/7952-UH9K] (examining Equifax’s new chief information security officer’s plan to win back customers following the 2017 breach).

115.* Id. *

116. See David Lord, Equifax Somehow Managed to Regain Public Trust, MARKETWATCH (Nov. 7, 2018, 9:55 PM), https://www.marketwatch.com/story/equifax-somehow-managedto-regain-public-trust-2018-11-07 [https://perma.cc/BD8U-DF7Z] (stating that public opinion of Equifax is almost at the same spot, -2, as it was before the 2017 data breach occurred).

Equifax is now at the same place it was before the breach happened.117 The Capital One and Equifax data breaches ultimately exemplify the farreaching impacts a breach can have on the financial services industry.118 Unfortunately, the inadequacy of federal and state laws regulating personal consumer data collection exacerbates the frequency and impact of a breach.119

Table of Contents

Table of contents