Skip to content
Main Menu
Utah Attorney General
Search
Attorney General
Sean D. Reyes
Utah Office of the Attorney General
Alerts
Close
Secondary Navigation

Statement on Settlement Between State of Utah and John Swallow

FOR IMMEDIATE RELEASE
September 6, 2019

STATEMENT ON SETTLEMENT BETWEEN STATE OF UTAH AND JOHN SWALLOW
 

SALT LAKE CITY – Today the Utah Attorney General’s Office issued the following statement:

“After a jury acquitted Mr. Swallow, he brought a claim for his attorney fees, which the State is obligated to pay under Utah law. While the amount he claims in attorneys fees is much higher, the parties have agreed to settle for payment of $1.5 million by the State in exchange for dismissal with prejudice of all claims. 

“Though many may be reluctant to pay anything in this matter, the law is clear and neither the executive branch nor the legislature have the ability to deviate from it. The legislature is upholding the rule of law by approving this settlement, which closes the book on a controversial chapter in Utah history.”

###

Health Insurer Premera Settles Suit for Failing to Protect Sensitive Data

FOR IMMEDIATE RELEASE
July 11, 2019

Health Insurer Premera Settles Suit for Failing to Protect Sensitive Data

Premera Breach Affects Millions Nationwide; Including about 50,000 Utahns

OLYMPIA, WA — Premera Blue Cross, the largest health insurance company in the Northwest has settled a lawsuit over failing to fix known security problems that exposed personal information of more than 10.4 million consumers nationwide, including approximately 50,000 Utahns to a hacker.

Utah Attorney General Sean D. Reyes and 29 other attorneys general filed a settlement today that requires Premera Blue Cross to pay $10 million total to states, over its insufficient data security and failure to secure the consumer data, including protected health and personal information.

A nearly year-long investigation focused on Premera’s cybersecurity vulnerabilities that gave a hacker unrestricted access to the data for almost a year. Under the settlement, Premera will:

  • Pay a total of $10 million to states.  (Premera settled a class action lawsuit for $74 million earlier this year.)
  • The company is also required to implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the attorneys general.
  • Premera’s $10 million payment to the states is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon but not yet finalized by the court.

“This was clearly a violation of Federal and Utah privacy laws and is simply unacceptable,” said Utah Attorney General Sean D. Reyes.  “Even worse, but the company knew about the deficient data security for nearly a year and didn’t take necessary measures to fix it.  Consumers deserve much, much better.”

The complaint asserts that the company failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and the Utah Protection of Personal Information Act (UPPIA) by not addressing known cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information for almost a year.

From May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

The hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.

The complaint asserts that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.

Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer’s sensitive data vulnerable to hackers for nearly a year.

Today’s settlement also requires Premera to:

  • Ensure its data security program protects personal health information as required by law
  • Regularly assess and update its security measures
  • Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington State Attorney General’s Office
  • Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance and will be responsible for implementing, maintaining and monitoring the company’s security program.
  • Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.

Today’s multistate settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.

A copy of the settlement can be viewed here.

-30-

Protecting Utah Consumers: Wells Fargo Settlement

January 1, 2019

On Friday, Wells Fargo agreed to pay $575 million after investigations and lawsuits from all 50 states and the District of Columbia for account fraud and other illegal business practices. Utah will receive $10 million.

Investigations started in 2016 after Wells Fargo admitted employees opened over 3.5 million fraudulent bank accounts in consumers’ names, without their knowledge or consent. Further investigation revealed improper practices involving insurance, auto loans, financing, and mortgages.

The Utah Attorney General’s Office worked alongside the Division of Consumer Protection and 49 other attorneys general to reach an appropriate settlement. From the press release:

“To date, this settlement represents the most significant engagement involving a national bank by state attorneys general acting without a federal law enforcement partner.”

Utah Attorney General Sean Reyes stated, “We appreciate the efforts Wells Fargo has made to address these important consumer issues. We all share the same goal: to enjoy a strong economy where consumers’ privacy, choices, and funds are protected. To this end, the Division of Consumer Protection, our assistant AG’s and sister-state Attorneys General acted with vigilance and I am grateful for their hard work.”

This settlement agreement follows previous settlements and fines paid by Wells Fargo. “This agreement underscores our serious commitment to making things right in regard to past issues as we work to build a better bank,” said Tim Sloan, Chief Executive Officer and President of Wells Fargo, in Wells Fargo’s press release.

The $10 million that Utah receives will go to the Division of Consumer Protection Education Fund.

Read more:

Press release: Utah Division of Consumer Protection to receive $10M in multi-state settlement

The settlement agreement (82-page PDF)

Salt Lake Tribune: Wells Fargo pays $575 million to settle state investigations over fake accounts and other shady practices; $10 million will go to Utah

Deseret News: Wells Fargo pays $575 million to settle state investigations

New York Times: Wells Fargo Agrees to Pay $575 Million to Resolve State Investigations

 

 

 

Photo by Mike Mozart

Uber to pay $148 million in multi-state settlement

FOR IMMEDIATE RELEASE
September 26, 2018

 

UBER AGREES TO PAY $148 MILLION IN MULTI-STATE SETTLEMENT
Uber agrees to strengthen security practices after data breach

SALT LAKE CITY – Today, Attorney General Sean Reyes and Utah Department of Commerce Executive Director Francine Giani jointly announced that Utah would receive nearly $900,000 from Uber Technologies, Inc. (Uber) in a settlement agreement over a one-year delay in reporting a data breach to affected drivers. Uber will pay Utah, the other 49 states, and the District of Columbia a total of $148 million in addition to strengthening its corporate governance and data security practices to prevent similar occurrences in the future.

Uber learned in November 2016 that hackers gained access to personal information involving the ride-sharer’s drivers, including drivers’ license information.  The data breach involved approximately 600,000 drivers nationwide, about 2,500 from Utah. Uber tracked down the hackers and obtained assurances that the hackers deleted the information. Utah’s law requires Uber to notify affected Utah residents, but Uber failed to report the breach until November 2017.

Attorney General Reyes stated, “I’m a fan of Uber, but that doesn’t keep us from doing our job. Protecting Utahns, their data, and identities is one of the top priorities of my office. Working with the Utah Department of Commerce and colleagues from other states, we were able to achieve a fair resolution without protracted litigation.” Deputy Attorney General David Sonnenreich added, “prompt reporting of data breaches is important so that victims have the information they need to better protect themselves from identity theft.” 

“Sadly data breaches have become a constant headline in our highly connected lives,” said Francine Giani, Executive Director for the Utah Department of Commerce. “We hope Uber’s case sends a message to the business community to be swift in alerting the public when consumer information is compromised.  The Department of Commerce is grateful for the partnership with the Attorney Generals’ Office in settling Utah’s claim.”

The settlement requires Uber to: 1) comply with Utah data breach and consumer protection law about Utah residents’ personal information and notifications in the event of a data breach; 2) take precautions to protect any user data Uber stores on third-party platforms outside of Uber; 3) use strong password policies for its employees to gain access to the Uber network; 4) develop and implement a strong data security policy for all data that Uber collects about its users, assess potential risks to the security of the data, and implement additional security measures beyond what Uber is doing to protect the data; 5) hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with recommended security improvements, and 6) develop and implement a corporate integrity program to ensure that ethics concerns brought by Uber employees about other employees will be heard.

Utah joins the other 49 states and the District of Columbia in this multistate agreement with Uber.

# # #

NOTES:

  1. You can find a copy of the Complaint, Proposed Judgment, and additional court documents here:
    https://attorneygeneral.utah.gov/wp-content/uploads/2018/09/2018-09-26-Uber-Complaint-Utah.pdf
    https://attorneygeneral.utah.gov/wp-content/uploads/2018/09/2018-09-26-Uber-Summons-Utah.pdf
    https://attorneygeneral.utah.gov/wp-content/uploads/2018/09/2018-09-26-Uber-Acceptance-of-Service-Stratford-Utah.pdf
    https://attorneygeneral.utah.gov/wp-content/uploads/2018/09/2018-09-26-Uber-UTAH-Proposed-Judgment.pdf

 

Photo by Antonio DiCaterina

Site SettingsSettings