Under the settlement, Adobe agrees to implement new policies and practices to prevent similar breaches in the future.
“We’re committed to protecting Ohio’s families, and this agreement will help safeguard consumers’ personal information,” DeWine said. “This is one of many ways we help protect people from identity theft and similar threats.”
The agreement, reached by the attorneys general of Ohio and 14 other states, resolves consumer protection and privacy claims against the company for the 2013 breach, in which an attacker stole encrypted payment card numbers and expiration dates, as well as names, addresses, telephone numbers, e-mail addresses, and usernames from Adobe servers.
In September 2013, Adobe learned that an attacker was trying to decode encrypted customer payment card numbers maintained on one of its servers. Adobe stopped the decryption but found the attacker had compromised a Web server and used it to access other servers on Adobe’s network.
The multistate investigation focused on whether Adobe had used reasonable measures to protect its systems from an attack or immediately detect an attack.
As part of the settlement, Adobe agreed to regularly evaluate its practices for safeguarding personal information, to comply with applicable state consumer laws, and to pay a total of $1 million to the 15 participating attorneys general. The Ohio Attorney General’s share of the total payment is $74,772.
The attorneys general of the following states joined the agreement: Arkansas, Connecticut, Illinois, Indiana, Kentucky, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, North Carolina, Ohio, Oregon, Pennsylvania, and Vermont.
A copy of the agreement (an Assurance of Voluntary Compliance) is available on the Ohio Attorney General’s website.