Security Transparency Report Section (Capital One 2019)¶
Use this to draft a section for an annual or ad-hoc transparency report covering security: requests received, incidents, and program highlights; supports accountability and stakeholder trust.
Purpose¶
This section provides a structured transparency narrative for Capital One 2019, summarizing incident and governance context, program improvements, and measurable control progress for external stakeholders. It is designed for consistent recurring reporting.
Hallucinated writing examples¶
Scenario: In an illustrative period following the 2019 Capital One cloud breach and related enforcement and litigation tracks (time), the Security Director (role) prepares a security transparency report section (type) for leadership stakeholders (audience).
SECURITY — TRANSPARENCY REPORT SECTION (DRAFT)
Overview: Our security program protects customer and company data, manages technology and cyber risk, and meets regulatory and legal expectations. This section summarizes our approach, key metrics, notable events, and commitments for the reporting period. It should be read together with our SEC filings, including 10-K Item 1C (Cybersecurity) and Risk Factors, for a complete picture of material risks and incidents.
Material Cybersecurity Incident: In July 2019, we publicly disclosed that an unauthorized individual had obtained access to customer data stored in our AWS-hosted infrastructure. The incident affected approximately 106 million individuals in the United States and Canada. We fixed the vulnerability, notified federal law enforcement, and the individual was arrested on July 29, 2019 (United States v. Paige A. Thompson, U.S. District Court, W.D. Wash.). Remediation and program improvements have been ongoing since that time.
Regulatory and Legal Outcomes: In August 2020, the Office of the Comptroller of the Currency (OCC) issued a Consent Order and imposed an $80 million civil money penalty (OCC News Release NR 2020-98). The Consent Order required us to strengthen risk management, board and management reporting, cloud security, and third-party risk management. We are in compliance with Consent Order milestones and report progress to the OCC. Consumer class-action litigation related to the 2019 incident was resolved by a settlement approved by the U.S. District Court for the Eastern District of Virginia (In re Capital One Consumer Data Security Breach Litigation); settlement benefits and claims process are described at the settlement website.
Program Highlights (2020): We have invested in cloud configuration governance (config-as-code, drift detection), identity and access management (least-privilege review), logging and retention, and independent control testing. Board and regulator reporting have been enhanced per the Consent Order. We are committed to maintaining a strong security program, meeting our Consent Order and legal obligations, and providing transparent and accurate disclosure to customers, regulators, and investors. We will continue to report material developments in our SEC filings and public statements. References: 10-K (Item 1C and Risk Factors); [Company security or privacy page]; [Settlement site]. For questions: [contact].
Document-type guide: Security Transparency Report Section
Writing tips: Writing best practices — Security Transparency Report Section