A recent cybersecurity breach involving one of the country’s largest financial services firms illustrates both the necessity of strong cybersecurity regulations and the imperative for credit card holders to jealously safeguard their personal information. In a criminal complaint filed July 29th, 2019 at the U.S. District Court for the Western District of Washington, the federal government alleged that Paige A. Thompson, a computer engineer, had taken advantage of a gap in Capital One’s cloud security to obtain the personal financial records of millions of the company’s customers in the U.S. and abroad.1 Thompson, who used the online alias “erratic,” allegedly exploited a defect in Capital One’s firewall to access confidential financial information stored on the servers of the Cloud Computing Company, a Capital One service provider.1 Despite Capital One’s claim that “no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised,” the episode is a reminder that without robust cybersecurity measures and a broad-based commitment to personal data security, information stored with American financial institutions remains vulnerable to cyberattack.2 In fact, had Thompson been more careful to remain anonymous,3 the data breach could well have become catastrophic.
First, the data breach demonstrates the value of robust cybersecurity regulations. For example, if Capital One’s cybersecurity measures had met the stringent standards of the regulations issued by New York State’s Department of Financial Services that is now being enforced by the state’s new Cybersecurity Division, this problem may have been avoided. The DFS has committed itself to ensuring that “encryption and other robust security control measures” characterize the cybersecurity policies of the state’s financial services firms.5 Had Capital One encrypted or tokenized6 all of the data subject to the recent breach, it is possible that the effects of the cyberattack may have been less widespread. In fact, the criminal complaint against Thompson notes that “although some of the information” targeted by the cyberattack “has been tokenized or encrypted, other information[…]regarding their credit history has not been tokenized,” allowing “tens of millions” of credit card applications to be compromised.1 Of course, the cybersecurity regulations adopted by New York State are burdensome. But the alternative is even worse – especially considering that Capital One will “incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support,” a price tag that doubtless outstrips the costs of regulatory compliance.3
Pastore & Dailey is a leading firm in the drafting and implementation of procedures necessary to comply with federal and state securities and banking cybersecurity regulations and laws, which in this case could have saved Capital One millions if properly followed.
Second, the cyberattack bears out the importance of diligence in safeguarding financial information. According to Forbes, individuals worried about the security of their financial information can take a host of precautions: “[updating] passwords,” avoiding the use of e-mail accounts to share confidential information, “[establishing] two-factor authentication,” and so on.7 Cyberattacks like the one that recently struck Capital One have become a fact of life for many Americans who bank online, but they need not be costly. Common-sense precautions and security diligence can go a long way towards ensuring the integrity of your financial records.