Capital One Financial Corp. is facing inquiries from attorneys general in New York, Connecticut and Illinois into its massive data breach and more state probes are likely to follow, privacy attorneys said.
State attorneys general can use authorities under their consumer protection laws, many of which prohibit unfair and deceptive practices, to assess whether companies have reasonable data security protections, attorneys said. Personal information protection statutes and data breach notification laws can also be the basis for state investigations.
Separate inquiries may ultimately be merged into a single multi-state investigation. Groups of states have teamed up in the past to investigate major data breaches involving Uber Technologies Inc. and Equifax Inc.
“It is common in a large data breach for several states to launch their own investigations to protect and seek remedies for their citizens,” Mark McCreary, chief privacy officer and co-chair of the privacy and data security practice at Fox Rothschild LLP, said.
New York Attorney General Letitia James (D), Connecticut Attorney General William Tong (D), and Illinois Attorney General Kwame Raoul (D) wasted little time in launching probes after Capital One said July 29 that a hacker obtained the personal information on about 100 million individuals in the U.S. and about 6 million in Canada. A Capital One spokesman did not immediately respond to a request for comment on state probes.
Massachusetts Attorney General Maura Healey (D) said in a July 30 tweet that her office “is in active discussions with Capital One to determine the extent of personal information of Massachusetts residents put at risk.”
Attorneys general from 50 states and the District of Columbia reached a $148 million settlement with Uber Technologies Inc. in 2018 related to a breach that affected 57 million people. Attorneys general from 48 states, the District of Columbia and Puerto Rico participated in a July 22 settlement with Equifax Inc., along with the Federal Trade Commission and the Consumer Financial Protection Bureau, under which Equifax agreed to pay up to $700 million to resolve investigations into a 2017 breach affecting 140 million people.
The regulators can weigh whether Capital One’s statements about data security practices were misleading to consumers, and whether their practices were unfair and deceptive, McCreary said.
The states may look into specific issues, like weak firewall security or broad employee data access, and assess if there were “repeated failures” in data security protections, Peter Ormerod, an assistant professor of business law at Western Carolina University, said.
A growing number of states also initiate such investigations under personal information protection statutes and state data breach notification laws, Matthew Fitzsimmons, a former Connecticut assistant attorney general, said.
For incidents that involve more than one party, such as a third-party vendor, states often query those parties to get a fuller picture, Fitzsimmons, a partner in Shipman & Goodwin LLP’s state attorneys general and data privacy and protection groups, said. Capital One stored data on Amazon’s cloud computing platform.