Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

States reach data breach settlement with debt collector

State Issues State Attorney General Data Breach Privacy/Cyber Risk & Data Security Settlement

State Issues

On March 11, a coalition of 41 state attorneys general, led by the New York attorney general, announced a settlement with a bankrupt debt collection agency to resolve a multistate investigation into a 2019 data breach that allegedly exposed the personal information of more than 21 million individuals, including Social Security numbers, payment card information, and in certain instances, medical test names and diagnostic codes. According to the proposed consent order, an unauthorized user accessed the company’s internal system and accessed consumers’ personal information. The AGs claimed that “[d]espite numerous warnings from banks that processed its payments about a potential breach, [the company] failed to detect the intrusion.” Under the terms of the settlement, the company has agreed to implement data security practices to strengthen its information security program and safeguard consumers’ personal information. These measures include: (i) creating and implementing an information security program that includes an incident response plan; (ii) employing a chief information security officer to oversee data safety practices; and (iii) hiring a third-party assessor to conduct an information security assessment. Additionally, should the company fail to honor the injunctive terms of the settlement it may be liable for as much as $21 million.