Privacy Enforcement Actions
Glow, Inc. (and its parent company, Upward Labs Holdings, Inc.), in a stipulated judgment, agreed to pay a $250,000 settlement to resolve allegations that its mobile app violated California’s medical privacy and data security laws. The Glow mobile app is marketed as a fertility-tracker and stores highly sensitive data related to women’s sexual and reproductive health. Our investigation found that the app had clear basic security flaws that put its users’ data at risk, and that the company failed to realize that it had to comply with the Confidentiality of Medical Information Act (CMIA), which goes beyond federal law to cover health apps such as Glow. The settlement requires Glow to improve the app’s data security, including a first-ever injunctive term that requires Glow to consider how privacy or security lapses may uniquely impact women. Glow must also incorporate privacy and security design principles into its mobile apps, obtain affirmative consent from users prior to sharing or disclosing personal, medical, or sensitive information, and allow users to revoke previously granted consent.
Anthem, a health insurance provider, in a stipulated judgment, agreed to pay a $8.69 million settlement to resolve allegations that it violated consumer protection and privacy laws arising from a 2014 data breach. Attackers used phishing emails to gain access to Anthem’s network and accessed Anthem’s most sensitive database holding personal information including name, address, email address, Social Security number, healthcare identification number, and date of birth. The data breach affected over 78 million consumers, including over 13.5 million Californians. The settlement also requires Anthem to improve its data security.
Equifax, in a nationwide settlement, agreed to pay a total of up to $600 million to resolve allegations that it improperly exposed the personal information of 147 million consumers, including 15 million Californians, in a 2017 data breach. The breach occurred after Equifax had failed to apply a critical software fix and implement security measures, including encrypting consumer Social Security numbers. The settlement requires Equifax to pay up to $425 million in restitution to affected consumers and $175 million to states in penalties, as well as provide additional benefits to consumers. The company must also implement and maintain critical data security enhancements.
Premera Blue Cross
Premera Blue Cross, in a stipulated judgment, agreed to pay a $10 million multi-state settlement to resolve allegations that it violated state and federal medical privacy laws arising from a 2014 data breach. Attackers used phishing emails to gain access to Premera's network and then took advantage of the company's lack of basic data security to access the personal information of 10.5 million consumers, including name, Social Security number, bank account information, medical information, and health-claims-related data. The settlement requires Premera to improve its information security program and implement a corporate compliance program that includes an independent Chief Compliance Officer and regular program assessments.
Aetna Inc., in a stipulated judgment, agreed to pay $935,000 to settle an investigation of the company after its mailing vendor sent letters to 1,991 Californians that revealed through an over-sized window in the envelope that the recipients took HIV-related medication. The settlement includes strong injunctive terms requiring Aetna to change its mailing procedures to better protect the confidentiality of medical information and conduct risk assessments for several years.
Uber Technologies, Inc.
Uber Technologies, Inc., in a stipulated final judgment, agreed to pay a $148 million nationwide settlement to resolve allegations that it violated data breach notification and reasonable data security laws in connection with a 2016 data breach where Uber failed to notify regulators and users of a data breach involving personal information. Uber instead covered up the breach for over a year, paying off hackers $100,000 for their silence. The settlement includes robust injunctive terms requiring Uber to maintain a Corporate Integrity Program, implement privacy-by-design principles, and have a comprehensive information security program. California's share of the payment, which will be split between our office and our partners at the San Francisco District Attorney's Office, is around $25.6 million.
Cottage Health System
Cottage Health System, in a stipulated final judgment, agreed to pay a $2 million settlement to resolve allegations that it failed to implement basic, reasonable safeguards to protect patient medical information in violation of state and federal privacy laws. The settlement requires Cottage to upgrade its data security practices and procedures to protect patients' medical information from unauthorized access or disclosure. It requires Cottage to maintain an information security program that meets reasonable security practices and procedures for the healthcare industry, and it requires Cottage designate an employee to serve in the capacity of a Chief Privacy Officer and to complete periodic risk assessments. This settlement follows two separate data breach incidents by Cottage Health where more than 50,000 patients' medical information was made publicly available online.
Lenovo Corporation, in a stipulated final judgment, agreed to pay $3.5 million to settled a multi-state investigation resolving allegations that it had illegally preinstalled ad-injecting software that compromised the security of its computers. This case marks the first time that California has held a hardware manufacturer accountable for software preinstalled on its products. As part of the settlement, Lenovo is required to adopt advanced measures to prevent future misconduct, including making clear and conspicuous disclosures about how pre-installed advertising software will operate, obtaining a consumer's affirmative consent before using such software, and providing a reasonable and effective means for consumers to opt-out, disable or remove the software. California will receive $389,204, the largest share of the 32 states involved in the settlement. The settlement was negotiated and finalized in coordination with the Federal Trade Commission.
Target Corporation, in a stipulated final judgment, settled a multi-state investigation in response to allegations that over 40 million customers had their payment card information compromised during the 2013 holiday season after the company failed to provide reasonable data security. Target agreed to pay a record $18.5 million; California received more than $1.4 million, the largest share of any state. As part of the settlement, Target is required to adopt advanced measures to secure customers' information. The settlement requires Target to employ an executive to oversee a comprehensive information security program and advise its CEO and Board, encrypt or otherwise protect payment card information to make it useless if stolen, and adopt other technological measures. In addition, today's settlement in part requires Target to integrate business practices recommended in the Attorney General's Data Breach Reports previously published by the California Department of Justice.
Wells Fargo Bank
Wells Fargo Bank, in a stipulated final judgement, agreed to an $8.5 million settlement for violating California privacy laws by recording consumers' phone calls without a timely disclosure to consumers, as required by sections 632 and 632.7 of the California Penal Code. This investigation and subsequent settlement agreement was a collaboration between the Attorney General's Office and five District Attorney Offices throughout the state. Wells Fargo, a California-based bank, agreed to pay $7,616,000 in civil penalties and $384,000 in prosecutors' investigative costs, as well as contribute $500,000 to two organizations that advance consumer protection and privacy rights in California. In keeping with California's strong privacy-protection standards, Wells Fargo also agreed to make clear, conspicuous, and accurate disclosures when recording confidential communications between the bank and its customers, as well as implement an internal compliance program to ensure policy changes.
Houzz, an online platform for home remodeling and design, agreed to resolve allegations that the company violated California privacy laws by recording incoming and outgoing telephone calls without notifying all parties on the call that they were being recorded. As part of the stipulated judgment, the company agreed to appoint an individual to serve in a Chief Privacy Officer capacity who will oversee Houzz's compliance with privacy laws and who will report any significant concerns to the Chief Executive Officer and/or other senior executives, to conduct a privacy risk assessment addressing its efforts to comply with applicable privacy laws governing its U.S. operations; and to pay $175,000.
Comcast agreed to a stipulated final judgment to resolve allegations that the company posted online the names, phone numbers and addresses of tens of thousands of customers who had paid for unlisted voice over internet protocol ("VOIP") phone service. Comcast agreed to improve how it handles customer complaints, strengthen its restrictions on vendors' use of personal information about customers, and provide a simple disclosure form to customers. The company Comcast must pay $25 million in penalties and investigative costs to the California Department of Justice and the California Public Utilities Commission, and approximately $8 million in additional restitution to customers whose numbers were improperly disclosed.
Aaron's agreed to a stipulated final judgment to resolve allegations that the company permitted its franchised stores to install spyware on laptop computers rented to customers without their knowledge or consent, as well as charging improper late fees, overcharging customers who paid off contracts early and omitting important contract disclosures. Aaron's agreed to refund $25 million to California customers and to pay $3.4 million in civil penalties and fees.
Kaiser Foundation Health Plan, Inc.
Kaiser agreed to a stipulated final judgment after it delayed notifying its employees after an unencrypted USB drive was discovered at a Santa Cruz thrift store that contained over 20,000 employee records. Kaiser paid $150,000 in penalties and attorneys' fees, and agreed to comply with California's data breach notification law in the future, provide notification of any future breach on a rolling basis, and implement additional training regarding the sensitive nature of employee records.
Citibank agreed to stipulated final judgment arising out a breach of its Citibank Online website via a known technical vulnerability that affected over 80,000 California account holders. Citibank paid $420,000 in penalties and attorneys' fees to California and $55,000 to the Connecticut Attorney General. Citibank also agreed to improve their security procedures, conduct an independent audit of Account Online, and provide credit monitoring for affected individuals for two years.
Anthem Blue Cross
Anthem agreed to a stipulated final judgment as a result of it printing Social Security Numbers on mailings to its customers that were visible on the envelope. Anthem paid $150,000 in penalties and attorneys' fees and agreed to implement new technical safeguards for its data management system, restrict employee access to members' Social Security numbers and provide enhanced data security training for all of its associates.
Privacy Amicus Filings
Fraley v. Facebook, Inc.
The Attorney General filed a brief for the State of California as amicus curiae in support of neither party, in Fraley v. Facebook on appeal from the U.S. District Court for the Northern District of California, arguing that California law protecting publicity rights of minors remained valid and enforceable.