1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
AppFolio, Inc., a tenant background report provider, settled with the FTC for $4.25 million over allegations it violated the Fair Credit Reporting Act by failing to implement reasonable procedures to ensure the accuracy of its screening reports and by including eviction and non-conviction criminal records older than seven years. The settlement prohibits including old records and requires maintaining accuracy procedures.
$4.3M
The FTC settled with Midwest Recovery Systems for engaging in 'debt parking,' where it placed inaccurate debts on consumers' credit reports to force payment. The company collected over $24 million from such debts. The settlement requires it to delete all reported debts, stop the practice, and pay a $24.3 million monetary judgment.
$24.3M
Home Depot settled for $17.5 million over a 2014 data breach that compromised personal information of over 40 million consumers due to inadequate security at self-checkout kiosks. The settlement requires extensive cybersecurity reforms including an information security program, employee training, and encryption. New Jersey receives $579,623 from the multi-state settlement.
$17.5M
The FTC settled with Zoom for deceiving users about its encryption security and unfairly installing software that bypassed browser safeguards. Zoom must implement a comprehensive security program, undergo biennial audits, and is banned from making false security claims. No monetary penalty was imposed.
Wakefern Food Corp. and associated ShopRite entities settled allegations that they improperly disposed of electronic devices containing protected health information, potentially exposing the data of over 9,700 New Jersey residents. They agreed to pay $235,000 and implement comprehensive data security measures including appointing privacy officers and providing training.
$235K
The FTC settled with NTT Global Data Centers Americas, Inc. for deceiving consumers about its participation in the EU-U.S. Privacy Shield framework. The company's certification lapsed in 2018, but it continued to claim compliance in its privacy policy and marketing materials. Under the settlement, NTT is prohibited from misrepresenting its participation in any privacy program and must apply Privacy Shield protections to previously collected personal data or delete it.
New Jersey Attorney General settled with Community Health Systems, Inc. over a 2014 data breach affecting 6.1 million patients, including over 45,000 New Jersey residents. CHS will pay $5 million to 28 states and implement enhanced data security measures to protect personal and health information.
$5.0M
Anthem, Inc. settled with California for $8.69 million over a 2014 data breach that exposed personal information of 78 million consumers, including 13.5 million Californians. The breach resulted from security deficiencies, and the settlement includes injunctive relief to improve information security practices. This action was part of a parallel multistate settlement.
$8.7M
New Jersey Attorney General announced a multi-state settlement with Anthem, Inc. over a 2015 data breach that exposed personal information of over 78 million Americans, including 1.15 million New Jersey residents. Anthem will pay $39.5 million to participating states and implement enhanced cybersecurity measures.
$39.5M
California Attorney General settled with Glow, Inc. for $250,000 due to privacy and security failures in its fertility app that risked exposing users' sensitive health information. The settlement requires Glow to implement privacy and security measures, obtain affirmative consent for data sharing, and consider unique impacts on women.
$250K
The FTC filed a complaint against MyLife.com, Inc. and its CEO for deceiving consumers with 'teaser background reports' that falsely claimed to include criminal and arrest records, and for violating the Fair Credit Reporting Act by failing to ensure accuracy and permissible purpose. The company also engaged in misleading billing practices under the Restore Online Shoppers’ Confidence Act and Telemarketing Sales Rule.
The FTC settled with Ortho-Clinical Diagnostics, Inc. for misleading consumers about its participation in the EU-U.S. Privacy Shield framework. The company allowed its certification to lapse in 2018 but continued to claim participation. The settlement prohibits such misrepresentations and requires compliance with Privacy Shield obligations for data collected or deletion of such data.
The FTC finalized a settlement with Miniclip, S.A. for falsely claiming it was a member of the CARU COPPA safe harbor program. Miniclip is prohibited from misrepresenting its participation in privacy programs and subject to compliance and recordkeeping requirements.
The FTC settled with Kohl's Department Stores for violating the Fair Credit Reporting Act by failing to provide identity theft victims with access to their business transaction records within 30 days. Kohl's agreed to pay a $220,000 civil penalty and must implement measures to comply with FCRA requirements, including providing records promptly and posting a notice on its website.
$220K
HyperBeard, Inc., a developer of children's apps, agreed to pay $150,000 and delete personal information it illegally collected from children under 13 to settle FTC allegations that it violated COPPA by allowing third-party ad networks to collect persistent identifiers without parental consent. The settlement requires HyperBeard to obtain verifiable parental consent for future data collection and prohibits using the illegally collected data.
$150K
NTT Global Data Centers settled FTC allegations that it misled consumers about its participation in the EU-U.S. Privacy Shield framework and failed to comply with its requirements. The settlement requires the company to hire a third-party assessor if it re-certifies, prohibits misrepresentations about privacy programs, and mandates continued application of Privacy Shield protections or deletion of data collected while participating.
The FTC charged Facebook with deceiving consumers about its privacy practices and violating a 2012 consent order. In July 2019, Facebook agreed to pay a $5 billion civil penalty and accept comprehensive new privacy restrictions.
$5.0B
California Attorney General led a multistate settlement with Equifax for a 2017 data breach that exposed personal information of 147 million consumers due to security failures and delayed disclosure. Equifax must pay $175 million in state penalties, $425 million for consumer restitution, and implement data security enhancements including a comprehensive Information Security Program and credit monitoring for up to ten years.
$175.0M
Premera Blue Cross suffered a data breach in 2014 that exposed personal and medical information of 10.5 million consumers. As part of a multistate settlement, Premera agreed to pay $10 million in civil penalties and implement security improvements and a compliance program. California will receive over $1 million from the settlement.
$10.0M
Aetna Inc. settled with the California Attorney General for $935,000 over allegations that it revealed the HIV status of 1,991 Californians through a mailing error where medication information was visible through envelope windows. The settlement requires Aetna to implement improved mailing procedures and conduct annual privacy assessments. This action enforces health privacy laws and protects sensitive medical information.
$935K
Neiman Marcus settled a multi-state investigation over a 2013 data breach that compromised payment card data of approximately 370,000 consumers nationwide, including 17,000 in New Jersey. The company agreed to pay $1.5 million and implement enhanced cybersecurity measures such as PCI compliance, network monitoring, and regular security assessments.
$1.5M
EmblemHealth, Inc. settled with the New Jersey Attorney General over a 2016 data breach where Medicare Health Insurance Claim Numbers (containing Social Security numbers) were improperly disclosed on mailing labels to over 81,000 customers, including 6,443 in New Jersey. The company agreed to pay a $100,000 civil penalty and implement compliance reforms including ceasing use of HICNs with SSNs, enhancing employee training, and notifying the state of future breaches.
$100K
ATA Consulting LLC, operating as Best Medical Transcription, settled for $200,000 over a 2016 server misconfiguration that publicly exposed health records of up to 1,654 patients. The settlement includes civil penalties and permanently bars the owner from operating a business in New Jersey. The breach violated HIPAA and the New Jersey Consumer Fraud Act due to inadequate security and failure to promptly notify affected individuals.
$200K
Aetna, Inc. settled with New Jersey and other states over allegations that it improperly disclosed protected health information of thousands of individuals through mailings that revealed HIV/AIDS status and AFib study participation. The settlement requires Aetna to implement policy reforms, hire an independent consultant, and pay a civil penalty of $365,211.59 to New Jersey.
$365K
Uber Technologies, Inc. agreed to pay $148 million to settle a multi-state investigation into a data breach that compromised personal information of riders and drivers. The breach occurred in November 2016 but was not disclosed until November 2017. Uber must adopt new policies to safeguard consumer data.
$148.0M
Uber Technologies, Inc. settled for $148 million over a 2016 data breach that exposed 57 million users' personal information. The company was accused of covering up the breach by paying hackers and failing to notify authorities or affected drivers as required by law. The settlement includes a large penalty and mandates robust data security practices, privacy-by-design integration, and regular reporting to prevent future incidents.
$148.0M
Lightyear Dealer Technologies (DealerBuilt) settled an investigation into a 2016 data breach where a misconfigured file system exposed personal data, including social security numbers and bank information, of thousands of auto dealership customers nationwide. The settlement includes an $80,784 payment (with $20,000 suspended) and mandatory cybersecurity reforms.
$49K
Unixiz, Inc. agreed to shut down its i-Dressup teen social website and pay $98,618 in civil penalties to settle allegations that it violated COPPA by collecting personal information from over 2,500 New Jersey children without parental consent and failed to safeguard user data, leading to a 2016 data breach affecting more than 24,000 New Jersey residents.
$99K
Meitu, Inc. allegedly violated COPPA and the New Jersey Consumer Fraud Act by collecting personal information from children under 13 without parental consent. The settlement requires Meitu to pay a $100,000 civil penalty, update its privacy policies, and modify its apps to block data collection from children.
$100K
Virtua Medical Group agreed to pay $417,816 and implement a corrective action plan to settle allegations that it failed to properly secure electronic protected health information (ePHI). A vendor's server misconfiguration publicly exposed the medical records of over 1,650 patients via Google searches. The New Jersey Division of Consumer Affairs found VMG violated HIPAA's Security and Privacy Rules by not adequately vetting the vendor's security and failing to conduct proper risk analysis.
$418K
All data sourced from official government enforcement pages.