State Settles With Citibank In Data Breach Case
"At the time of the incident in 2011, we immediately rectified the issue and took steps to notify and protect affected customers," said the statement. "Customer data that is critical to commit identity theft was not accessed and Citi's credit card processing systems and other consumer banking online systems were not impacted. No customer was liable for any unauthorized account activity that may have occurred."
Citibank's lawyer, Melissa A. Hager, of Morrison & Foerster in New York City, who negotiated the settlement with the state, did not return repeated calls for comment last week.
Under the settlement agreement, Citibank will pay $15,000 in civil penalties to the state's Privacy Protection Guaranty and Enforcement Account, which is used for the reimbursement of losses sustained by individuals injured by certain data breaches and for enforcing the state's data breach laws. An additional $40,000 will be paid to the state's General Fund to resolve the allegations of the CUTPA violations.
Further, Citibank is required to hire an independent third party to conduct an information security audit of Account Online and report a detailed summary of its findings to the state Attorney General. The company will be required to maintain reasonable security procedures and practices to protect Account Online in the future.
Citibank must also provide appropriate notice and free credit monitoring for two years to any individual affected by certain future security incidents involving Account Online.
Assistant Attorney General Matthew Fitzsimmons, head of the state Attorney General's Privacy Task Force, along with its members, Assistant Attorneys General Lorrie Adeyemi and Michele Lucan, assisted Jepsen with the investigation.•