In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020.  The actions follow a 2019 cyber-attack against Capital One.  The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company.  The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.

Background

In early 2019, Capital One was subjected to a cyber-attack in which a third party obtained unauthorized access to certain personal information of approximately 100 million individuals.[1]

Capital One notified potentially affected customers, and the OCC press release accompanying the consent orders noted that the OCC “positively considered the bank’s customer notification and remediation efforts.”  The OCC orders and press release did not explicitly reference the 2019 data breach incident.  The press release referred to risk assessment processes related to migrating operations to the cloud.

The OCC enforcement actions were based on the agency’s Part 30 safety and soundness regulations, including the interagency guidelines on information security that implement section 501(b) of the Gramm-Leach-Bliley Act and are codified in Appendix B to the Part 30 regulations.  Prior to this action, there had been only one case where the OCC imposed a civil monetary penalty based on noncompliance with the information security guidelines, a 2005 penalty against First Horizon Home Loan Corporation for $180,000.[2]

Requirements of the Consent Orders

The OCC cease and desist order requires remedial actions to strengthen the bank’s information security program, including:

  • formation of a compliance committee comprised of independent directors;
  • submission of an action plan outlining remedial measures to achieve compliance with the order; and
  • creation of additional plans related to enhancing information security controls, including a board and management oversight plan, a plan for enhanced risk assessment processes related to the cloud and legacy technology operating environments, a cloud operations risk management plan, an independent risk management plan including provision for testing and validation, a plan to enhance internal controls and a plan to enhance internal audit.

The Federal Reserve Board order focuses on risk management and requires the parent bank holding company to take remedial actions, including strengthening Board oversight, strengthening governance and internal controls with respect to risk management, improving the risk management program and revising the internal audit program.

Takeaways

  • Board oversight: Both the OCC and Federal Reserve cease and desist orders highlight the importance of oversight and involvement by the Board and senior management.  This includes holding relevant individuals accountable for gaps in information security systems and response processes, ensuring the proper information security programs and procedures are in place and staying apprised of any internal information security developments or events soon after they take place.
  • Strong internal audit function and reporting channels: No information security program is immune to human error or attack, but firms can help mitigate potential enforcement and other risks by developing streamlined response mechanisms, including communication channels that enable timely reporting of potentially material issues.
  • Mitigation in the event of a data security incident: The OCC explicitly credited the bank’s customer notification and remediation efforts and noted in the cease and desist order that the bank had already begun to take corrective action.  It is notable, however, that the OCC imposed a sizable penalty notwithstanding the apparently prompt notification and remediation efforts.
  • Increased scrutiny and penalties?  While it is expected that regulators will scrutinize data security programs in the wake of a significant security incident, the penalty imposed by the OCC may suggest a more punitive approach by the OCC than it has taken in the past.  Particularly in an era when state actors engage in cyber-attacks on private companies, including financial institutions, it may be challenging to determine the degree to which a financial institution should be faulted and penalized when it is the victim of a criminal cyber-attack.  As with anti-money laundering (“AML”) programs, banks become the first line of defense against criminal activity; also like AML programs, no data security program of a large institution can prevent all failures or attacks.  It will be important for institutions to highlight the overall strength of a program (from both a technical and management perspective) and for regulators to appropriately consider that broader context as individual incidents continue to occur.

[1] Press Release, Capital One Fin. Corp. Newsroom, Information on the Capital One Cyber Incident (Sept. 23, 2019), https://www.capitalone.com/facts2019/; Alert Memo, Cleary Enforcement Watch, Federal Court Compels Production of Data Breach Forensic Investigation Report (Jul. 8, 2020), https://www.clearyenforcementwatch.com/2020/07/federal-court-compels-production-of-data-breach-forensic-investigation-report/.

[2] See Consent Order, In re First Horizon Home Loan Corp., AA-EC-05-49, 2005-78 (U.S. Dep’t of Treas. OCC, Jun. 28, 2005).