Connecticut Attorney General Seeks Enforcement Against Citibank for Information Security Breach
September 17, 2013
By: Robert J. Munnelly, Jr.
In late August, Connecticut Attorney General George Jepsen announced that Citibank, N.A. had agreed to pay a $55,000 fine for allegedly failing to make timely fixes to a previously-identified vulnerability in its customer account electronic systems in 2011 that was finally exploited in 2013. This fine - the first significant public enforcement action since legislators expanded Connecticut’s data breach laws last Fall - should alert all businesses that they may be subject to sanctions for failing to respond immediately to security breaches with the potential for widespread customer impacts.
The Citibank vulnerability allowed a person with log-in rights to its online banking system to access accounts of other customers by modifying characters in the webpage URL (Universal Resource Locator) bar, without any separate authentication and without logging into such additional accounts. Information subject to potential disclosure included customer names, street and email addresses, phone numbers and credit card number information, and thousands of Connecticut residents were potentially affected.
Attorney General Jepsen cited Citibank for “unreasonable delay” in responding to a data breach and, based on that alleged violation, relied on state statutes authorizing sanctions against businesses committing what they knew or should have known were unfair trade practices. The Attorney General faulted Citibank for not fixing a known vulnerability for several years and then taking 17 days to put in place a permanent fix after Citibank learned its online banking system had been hacked. In response to the Attorney General’s claims, Citibank entered into a settlement agreement denying liability but agreeing to pay a $55,000 fine ($40,000 to the state general fund for the unfair trade practices allegation and $15,000 to the state privacy protection fund for consumers harmed by security breaches). Citibank separately agreed to pay similar fines to California authorities in response to the same breach.
Lessons learned from this enforcement action and fine:
- Companies should not leave unaddressed identified system vulnerabilities that could result in a security breach.
- While 17 days to identify, diagnose and correct an electronic breach is ordinarily considered a prompt response period, regulators may expect business to move even faster when thousands of consumers are at risk.
- The settlement can be viewed as a sign that Connecticut Attorney General has begun to act on his pledge made late last year to act decisively to address security breaches. Connecticut businesses may face an increased risk of data enforcement actions in the upcoming months and into 2014.
If you have any questions about the information contained in this Alert, please contact your Murtha Cullina attorney or a member of our Information Security and Privacy Group.