By Floyd Boone, Esq. and Julie Shank, Esq.

On August 6, 2020, the Office of the Comptroller of the Currency ("OCC") assessed an $80 million civil money penalty against Capital One, N.A. and Capital One Bank (USA), N.A. (collectively "Capital One").

The penalty arose out of an incident in July 2019, in which a computer hacker illegally accessed the personal information of more than 100 million Capital One customers and credit card applicants in one of the largest data breaches ever of a financial services firm.

The data breach occurred soon after Capital One transferred a major portion of its computer data to a cloud-based storage system. According to the OCC, the bank not only failed to establish an effective risk assessment process prior to the transfer of customer data to the cloud but also failed to properly identify and address the deficiencies in a timely manner. On the other hand, the OCC tempered Capital One's punishment based upon the bank's efforts to notify customers and its remediation efforts.

In announcing the settlement, the OCC's press release noted that "[w]hile the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers." The OCC's settlement is a reminder that all federally regulated financial institutions must establish effective risk assessment processes in the operation of their information technology systems and must maintain internal audit practices and procedures capable of identifying and controlling weaknesses. The OCC's consent orders are also a reminder that the federal banking regulators will give favorable consideration to banks' efforts to provide customer notice and other forms of remediation immediately following data breaches.

The Federal Reserve also issued an order to Capital One – a cease-and-desist requiring the bank to submit a series of written plans within 90 days to strengthen oversight of its risk management program as well as its internal controls and governance. Moving forward, the bank must also submit progress reports within 45 days of the end of each quarter.

Since the hack, the OCC has repeatedly claimed that Capital One deserves credit for its customer notification and remediation efforts.

The Bowles Rice Banking & Financial Services Team advises state and federally regulated financial institutions with respect to their compliance with the full spectrum of state and federal banking statutes and regulations. The Team also regularly advises banking industry clients transitioning to new systems, products, and service providers, including the negotiation of effective third-party provider agreements.

The Bowles Rice Cybersecurity & Information Privacy Team provides an all-encompassing approach to privacy and data security issues for a wide variety of businesses and industries. With detailed security risk assessment, customized data privacy policies and procedures, contract negotiation assistance, employee and vendor training, and a comprehensive cyber incident response plan, our team1s approach encourages a level of awareness and preparedness necessary for today1s complicated business landscape.

For more information, please contact a team member listed below: