Adobe Systems, Inc. (“Adobe”) agreed to settle an investigation by 15 states related to an incident in 2013 in which Adobe was the victim of a data security breach that exposed the user name, account information, and credit card information of approximately 38 million individuals. The hackers were able to gain access to Adobe’s internal system through a public-facing server. Once within the system, the hackers accessed users’ credit card information and other account details by cracking Adobe’s encryption. At the time of the breach, Adobe was using the same encryption key for all passwords. The technology company first announced that the security breach affected three million users; however, its subsequent investigation revealed that it involved more than 30 million individuals.
In the wake of the security breach, Attorneys General from 15 states—Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont—conducted an investigation of Adobe’s security breach response to determine whether Adobe had taken “reasonable measures” to protect itself from and detect the breach. (Of the millions of individuals who potentially had their information exposed, 534,000 affected individuals resided in these 15 states.) The multistate investigation concluded that Adobe’s security system was not reasonable because Adobe had public-facing servers, and it should have reasonably anticipated that these servers would be vulnerable to a security breach.
Last week, Adobe agreed to pay $1 million to be divided among these 15 states as well as comply with several additional security precautions in an Assurance of Voluntary Compliance Agreement (“Agreement”). The Agreement provides that Adobe will (i) conduct reviews of its security policies and procedures at least twice a year; (ii) timely notify individuals and respective State Attorneys General of any future breaches; and (iii) comply with state security statutes by integrating additional security measures into its system, such as effectively segregating payment card information from access by public-facing servers, employing tokenization for payment card numbers, and maintaining an alert process if its systems are not operating normally. In addition, within the next four months, Adobe must participate in an audit by a third party and provide the results to the Connecticut Attorney General, the lead state in the investigation, to ensure that its systems are, in fact, more secure. If Adobe fails to fulfill the terms of the Agreement, then the respective State Attorneys General may file civil claims against it.
This is not the first settlement that Adobe has reached to resolve legal action in the wake of the security breach. Six lawsuits were filed on behalf of individuals in federal court and consolidated before District Judge Lucy H. Koh of the Northern District of California. Adobe settled these cases for an undisclosed amount on August 13, 2015. As part of that settlement, Adobe agreed to pay $1.18 million in attorneys’ fees to plaintiffs’ counsel.
Adobe’s post-breach experience highlights that the lifecycle of dealing with the aftermath of a security breach can be years—rather than days or months—with ongoing settlements that continue to impact the company. Because the total amount paid by Adobe in settlements for the 2013 security breach are unknown, it is impossible to determine the financial impact of the 2013 breach to Adobe; however, based on the relatively low amount of the settlement with the State Attorneys General and the comparatively reasonable attorneys’ fees payment to end the civil litigation brought by the individuals affected by the breach, it appears that Adobe was able to manage this security breach to minimize its financial impact.
