On November 7, 2016, Adobe Systems Inc. (“Adobe”) entered into an assurance of voluntary compliance (“AVC”) with 15 state attorneys general to settle allegations that the company lacked proper measures to protect its systems from a 2013 cyber attack that resulted in the theft of the personal information of millions of customers. Under the terms of the AVC, Adobe must pay $1 million to the attorneys general and implement new data security policies and practices.

The AVC stems from a 2013 breach of one of Adobe’s public-facing servers that allowed an attacker to steal data from Adobe’s network. The stolen data included names, addresses, telephone numbers, usernames, email addresses, encrypted and unencrypted passwords, plain text password hints and encrypted payment card numbers and expiration dates. Adobe notified more than 3.1 million customers whose credit or debit card information was stolen, and nearly 33 million active users whose passwords were stolen.

Led by Connecticut Attorney General George Jepsen, the state attorneys general alleged that Adobe failed to (1) employ reasonable security measures to protect its systems from attack and the unauthorized exfiltration of personal information, and (2) promptly detect and respond to unauthorized activity on its network. According to the AVC, these failures contradicted Adobe’s representations to customers that it took reasonable steps to protect their personal information.

In addition to the $1 million fine, the AVC requires Adobe to review, at least twice per year, its existing internal security policies and procedures and amend them where necessary. Adobe also must implement other data security measures, including segregating payment card information from access by public-facing servers, employing tokenization for Adobe.com merchant ID payment card numbers, performing ongoing risk assessments and penetration testing, and training employees on security policies.