“If companies are going to manage New Yorkers’ personal information, they must make every effort to protect that information,” said Attorney General James. “But AMCA’s security failures resulted in 21 million Americans having their data illegally accessed. I am committed to protecting New Yorkers’ personal data and will not hesitate to hold companies accountable when they fail to safeguard that information. Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again.”
Between August 1, 2018 and March 30, 2019, an unauthorized user gained access to AMCA’s internal system and was able to collect a wide variety of customers’ personal information. Despite numerous warnings from banks that processed its payments about a potential breach, AMCA failed to detect the intrusion.
On June 3, 2019, AMCA provided notice to the states, including New York — which immediately opened an investigation. The company also simultaneously began providing notice to affected individuals. To help manage the harm from the exposure of personal information, AMCA offered affected individuals two years of free credit monitoring.
On June 17, 2019 — as a result of the costs associated with providing notification and remediating the breach — AMCA filed for bankruptcy. In order to continue the investigation and take steps to ensure that the personal information of their residents was protected, Attorney General James and other members of the multistate coalition participated in the bankruptcy proceedings. The company ultimately received permission from the bankruptcy court to settle with the multistate coalition, and, on December 9, 2020, the company filed for dismissal of the bankruptcy.
Under the terms of today’s agreement, AMCA and its principals have agreed to implement and maintain a number of data security practices designed to strengthen its information security program and safeguard the personal information of consumers. These include:
- Creating and implementing an information security program with detailed requirements, including an incident response plan;
- Employing a duly qualified chief information security officer to oversee data safety practices at the company;
- Hiring a third-party assessor to perform an information security assessment; and
- Cooperating with the attorneys’ general investigation and maintaining evidence.
As part of the agreement, AMCA may also be liable for a $21 million payment to the states if the company violates the injunctive terms of the agreement. Because of AMCA’s financial condition, the payment will be suspended if no violation occurs.
Joining Attorney General James in co-leading this investigation were the attorneys general of Connecticut, Indiana, and Texas. They were joined by the attorneys general of Arizona, Arkansas, Colorado, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, and the District of Columbia.
No comments:
Post a Comment