Skip to content
Main Menu
Utah Attorney General
Attorney General
Sean D. Reyes
Utah Office of the Attorney General
Secondary Navigation

Attorney General Reyes and The Home Depot Reach Settlement Regarding Data Breach

November 24, 2020

SALT LAKE CITY – Utah Attorney General Sean D. Reyes today announced that his office, the Utah Division of Consumer Protection and the attorneys general of 45 other states and the District of Columbia have obtained a $17.5 million-dollar settlement against Georgia-based retailer The Home Depot, resolving a multistate investigation of a 2014 data breach which exposed the payment card information of approximately 40 million Home Depot consumers nationwide. The State of Utah will collect $154,144.80 through this settlement.

The breach occurred when hackers gained access to The Home Depot’s network and deployed malware on The Home Depot’s self-checkout point-of-sale system. The malware allowed the hackers to obtain the payment card information of customers who used self-checkout lanes at The Home Depot stores throughout the U.S. between April 10, 2014 and Sept 13, 2014.

In addition to the $17.5 million total payment to the states, The Home Depot has agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

“This settlement serves to promote fair but rigorous compliance with state laws which require businesses that collect or maintain sensitive personal information to implement and adhere to reasonable procedures to protect consumers’ information from unlawful use or disclosure,” Attorney General Reyes said.

Specific information security provisions agreed to in the settlement include:

  • Employing a duly qualified Chief Information Security Officer reporting to both the Senior or C-level executives and Board of Directors regarding The Home Depot’s security posture and security risks;
  • Providing resources necessary to fully implement the company’s information security program;
  • Providing appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;
  • Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and
  • Consistent with previous state data breach settlements, the company will undergo a post settlement information security assessment which in part will evaluate its implementation of the agreed upon information security program.

Other states participating in this settlement include: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Vermont, Virginia, Washington, West Virginia, and Wisconsin.

Utah Among 48 States to Reach a $60 Million Settlement with C.R. Bard, Inc Over Surgical Mesh Products

October 2, 2020

Forty-eight states, including Utah, have reached a $60 million multistate settlement with C.R. Bard, Inc and its parent company Becton, Dickinson and Company over allegations that Bard downplayed the risk of its transvaginal surgical mesh devices, which harmed consumers nationwide.

This settlement concludes a multistate investigation into C.R. Bard for allegedly misrepresenting and failing to disclose serious and life-altering risks of surgical mesh devices such as chronic pain, scarring and shrinking of bodily tissue, recurring infections, and other complications. 

Thousands of women implanted with surgical mesh have made claims that they suffered complications resulting from these devices such as erosion of mesh through organs, pain during sexual intercourse, and voiding dysfunction. Although use of surgical mesh involves the risk of these serious complications and is not proven to be more effective than traditional tissue repair, millions of women were implanted with these devices.

C.R. Bard and its parent company, Becton Dickinson and Company, have agreed to pay $60 million to the 48 participating states and the District of Columbia. In addition, the companies have agreed to:

  • Provide patients with understandable descriptions of complications in marketing materials.
  • Include a list of certain complications in all marketing materials that address complications.
  • Disclose complications related to the use of mesh in any training provided that includes risk information.
  • Disclose sponsorship in clinical studies, clinical data, or preclinical data for publication.
  • Refrain from citing to any clinical study, clinical data, or preclinical data regarding mesh, for which the company has not complied with the disclosure requirements.
  • Require consultants to agree to disclose in any public presentation or submission for publication Bard’s sponsorship of the contracted for activity.
  • Register all Bard-sponsored clinical studies regarding mesh with
  • Train independent contractors, agents, and employees who sell, market, or promote mesh, regarding their obligations to report all patient complaints and adverse events to the company.
  • Ensure that its practices regarding the reporting of patient complaints are consistent with FDA requirements.

In addition to Utah, the multistate group is comprised of Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, and Wisconsin. 

Landmark Settlement Case Announced in Gold King Mine Legal Case

August 5, 2020

Ground-breaking Deal Protects Future Water Quality; Concludes Intense Negotiations

SALT LAKE CITY—Today, the Office of the Utah Attorney General announces a landmark settlement with the Environmental Protection Agency (EPA) that will provide more than $220 million for remediation efforts in historic mining districts that pose an ongoing threat to Utah’s waterways and environment. The State of Utah will join forces with the EPA to monitor and clean-up these mining areas, even those located in other states.
Additionally, the State of Utah will receive $3 million in water quality grants from the federal government for projects located in Utah. Further, the EPA will initiate and bear the cost for evaluations at multiple Utah sites (costs per site may exceed $200,000) to determine if further remediation is necessary.
In exchange for all these benefits, the State will dismiss its tort and CERCLA claims against the EPA and EPA contractors. While the past five years of water monitoring shows no sign of impact to public health or the environment, the settlement with EPA allows this case to be re-instated if future evidence of harm due to the blowout emerges.
This deal ends a lawsuit filed after mine waste spilled from the Bonita Peak Mining District’s Gold King Mine in 2015. An EPA contractor accidentally caused the release of millions of gallons of toxic water which flowed into the Animas and San Juan rivers, also impacting Lake Powell in August of that year. 
Utah Attorney General Sean D. Reyes says the deal will ensure that future generations are protected from toxic mine waste in the affected area and other abandoned mines in and outside the state by gaining unique concessions that ensure action from the EPA, and which will allow the State of Utah to partner with the agency on projects that would otherwise be ignored in the foreseeable future. 
Important facts about the current status of the Gold King Mine Accident:

  1. The Surface Water is Clean:  DEQ has been monitoring the San Juan River and Lake Powell since the release in 2015. There is no evidence that the metals from the release are impacting public health or the environment.  DEQ continues to conduct studies on the sediments in Lake Powell to ensure no long-term impacts.  DEQ also continues to work with EPA and other jurisdictions to resolve abandoned mine discharges throughout the San Juan River watershed.
  2. Assurances for Future Water Quality: Also in the settlement, EPA has committed to providing $3 million in water quality grants to the Division of Water Quality. These water quality grants will be used to address challenging water quality problems in Utah such as harmful algal blooms in Utah Lake, protection of Utah’s drinking water aquifers, and incentivizing pollution reduction from unregulated agricultural sources. 

Response from Chief Criminal Deputy Spencer EAustin (who oversaw day-to-day operations of the case):

“Utah is fortunate Attorney General Reyes has such extensive environmental and complex-litigation experience. He was actively involved in this case and aggressively litigated and then aggressively negotiated a very favorable outcome on behalf of the people of Utah.

“Over my 45-year legal career trying cases, including my former partners and I handling some of the largest environmental cases in the nation, I have never seen a more favorable settlement for a plaintiff who, like the State of Utah in this case, ultimately lacked evidence of damages. In tort cases, you not only have to prove someone did something wrong, you must prove there is actual harm or damages resulting directly from that wrongdoing. Without evidence of harm to public health or the environment after years of monitoring, the State would have a difficult time at best proving its damages.

“Here, the State is trading away the uncertainty of an increasingly difficult case that would cost millions of dollars over many more years in exchange for the certainty of immediate benefits that will directly protect and positively impact Utah now and into the future.

“The State is getting a unique mix of assets: significant remediation commitments for very real threats, cash for Utah water quality projects, environmental monitoring and testing paid for by the EPA, assurances that Utah has a seat at the table for important decisions about mitigation in areas even outside our state borders and the safety net of being able to re-open the case should evidence of harm begin to arise.

“We anticipate difficult economic times ahead due to the COVID-19 crisis, and our settlement solidifies these commitments ahead of any kinds of cuts or reorganizations in the federal government.

“The Utah Attorney General’s Office would like to thank the Governor, the Utah Legislature, the Department of Environmental Quality and the Division of Water Quality for their support in this case. We would particularly like to acknowledge the hard work from leadership and many others at Utah DEQ, DWQ the Attorney General’s Office, outside counsel Peter Hsiao, and those at the EPA, who assisted in and will work on mitigation efforts moving forward. ”

Response from Utah Attorney General Sean D. Reyes:

“After years of intense litigation and negotiations, we are very pleased that millions of dollars can now be spent towards mitigation, remediation and assuring water quality in Utah rather than years of more litigation, trial and appeals. This is what cooperative federalism looks like—a true federal and state partnership.

“Protecting the people, public health and environment of the State has always been the top priority in this case. Our two goals were simple.  First, get the federal government to clean-up massive amounts of waste still lurking in many historic mining districts including the one that caused the Gold King Mine blowout.

“We have achieved that goal through litigation and now settlement. We are highly encouraged the EPA has stepped up and committed hundreds of millions of dollars toward cleaning-up several dangerous mining districts containing billions of gallons of potentially harmful substances that threaten Utah if they are released. Further, our agreement with the EPA allows Utah to work as a partner in the remediation and monitoring of these areas to help ensure the State’s best interests are protected.

“Our second goal in filing our case was to ensure our federal partners paid for any harm caused by the blowout. We had to file our case when we did and litigate as aggressively as we did with the facts we had at the time. We had to assume the worst–that long-term monitoring would eventually show harmful effects to health and the environment–and that such effects would coincide with illnesses and other impacts directly traceable to the Gold King Mine blowout.

“Over time, though, as consistent monitoring and Utah’s own top water quality experts determined no harmful impacts occurred, and no detriment to human, animal or plant life manifested, our ability to prevail at trial diminished significantly.

“We would have expended several millions of dollars on both sides continuing litigation to trial and inevitable appeals. But we thought putting money towards remediation instead of litigation made more sense; particularly in light of our own COVID-19 budget constraints and the likelihood that we may not prevail at trial.

“Again, this is the best possible outcome for Utah given the reality of the facts and the evolution of this case. We thank the EPA for seeing the merits of settlement and for its cooperation in crafting this resolution that truly benefits both sides.”

Response from Utah Department of Environmental Quality Executive Director, Scott Baird:

“This settlement will enable DEQ to improve and protect water quality and human health across the state. The staff, scientists and engineers at Utah DEQ work tirelessly to safeguard and improve Utah’s air land and water. We are pleased that EPA has taken responsibility and is committed to working with Utah.”

Key Elements of Settlement:

  • Prior to the settlement agreement, Utah’s Office of the Attorney General recovered the majority of the state agencies actual response costs following the Gold King Mine release. This totaled more than $500,000. This amount is in addition to the recovery under the settlement.
  • A commitment from the EPA to pay for costs of ongoing Superfund (CERCLA) response actions in the Bonita Peak Mining District and other mining sites upstream from Utah in an amount expected to be more than $220 million. While funds will not be paid directly to the State, they will be used specifically to mitigate direct threats to Utah, eliminating or reducing discharges from the mines and improve downstream surface water quality in Utah. Utah will be gaining the benefit of more than $220 million in remediation expenditures.
  • A “seat at the table” for Utah in ongoing and planned remedial actions in the Bonita Peak Mining district and other contaminated areas. The EPA will provide Utah meaningful and substantial involvement in the Superfund response actions at the Bonita Peak Mining District to improve downstream water quality. This type of official collaboration for a site located in another state is rather unprecedented.
  • Also in the settlement, EPA has committed to providing $3 million in water quality grants to the Division of Water Quality. These water quality grants will be used to address challenging water quality problems in Utah such as harmful algal blooms in Utah Lake, protection of Utah’s drinking water aquifers, and incentivizing pollution reduction from unregulated agricultural sources. If these grants for any reason are not provided to Utah, the State may reinstate the Lawsuit.
  • In addition to upstream response actions, EPA will initiate and pay for removal site evaluations in Big and Little Cottonwood Canyons in Salt Lake County, in the Lisbon Valley area of San Juan County, and at the Ophir Mining District in Tooele County (each evaluation can cost $200,000 or more).  If it weren’t for this settlement, these site evaluations would likely not occur. Depending on the findings, the site evaluations may lead to other remedial actions which may further improve water quality in the San Juan River and Lake Powell.
  • Finally, the settlement provides a “re-opener” allowing for Utah’s Superfund (CERCLA) claims tied to the Gold King Mine release to be reinstated if new data demonstrates a risk to human health.

Questions and Answers

Q–Originally, the State asked for $1.9 billion dollars in damages.  What happened to that claim?
A–The $1.9 billion figure was based on a worst possible scenario; namely, the anticipated costs to dredge the San Juan river as well as Lake Powell and was based on past cleanup efforts at similar sites with sediment contamination in other states.

  1. It is not possible to definitively pinpoint damages in this case.  Because of the number of mines in the Bonita Peak Mining District that have been slowly leaching wastewater into the rivers over time, it is impossible to pinpoint which sediment is from the Gold King Mine Accident and which was already present.  Proving damages—a key element of this case—would have been difficult if not impossible to prove.
  2. Dredging the rivers and Lake Powell would be a very invasive, long and expensive process.  The runoff has settled into the bottom of the rivers and Lake Powell, where undisturbed, it is not posing harm.  Water quality monitoring of all the waterways have determined the water is safe for humans and is sustaining wildlife.  Dredging activity, however, would produce unpredictable results and would be potentially unwise as well as extremely expensive.

In summary, Utah filed a $1.9 billion claim for damages caused by heavy metals release into the San Juan River and Lake Powell. The claim was based on sediment remediation costs incurred at other sites and a “worst-case scenario” for the cleanup. It was necessary for Utah to file this complaint when it did due to the statute of limitations.  If the complaint had not been filed, the state would have lost its claims.
Q–What about the Native American Tribes and other states that have also been affected by the Gold King Mine accident?
A– Native American litigants are seeking their own legal action, which is pending. Colorado has decided not to pursue legal action. New Mexico’s case is currently pending.
Q–Is the water in the Animus, San Juan rivers and in Lake Powell safe?
A–Yes. And it has been since shortly after the blowout. All our monitoring has indicated no harm to humans, wildlife, plants or other biota. 
Q–Why did Utah file a claim if it’s been safe?
A—Utah officials did not know at the time what long term effects the blowout might have or how the results of initial monitoring might change. The relevant statute of limitations would not let us monitor for years before deciding to file a case. We had to file when we did to preserve our rights. 


Statement on Settlement Between State of Utah and John Swallow

September 6, 2019


SALT LAKE CITY – Today the Utah Attorney General’s Office issued the following statement:

“After a jury acquitted Mr. Swallow, he brought a claim for his attorney fees, which the State is obligated to pay under Utah law. While the amount he claims in attorneys fees is much higher, the parties have agreed to settle for payment of $1.5 million by the State in exchange for dismissal with prejudice of all claims. 

“Though many may be reluctant to pay anything in this matter, the law is clear and neither the executive branch nor the legislature have the ability to deviate from it. The legislature is upholding the rule of law by approving this settlement, which closes the book on a controversial chapter in Utah history.”


Health Insurer Premera Settles Suit for Failing to Protect Sensitive Data

July 11, 2019

Health Insurer Premera Settles Suit for Failing to Protect Sensitive Data

Premera Breach Affects Millions Nationwide; Including about 50,000 Utahns

OLYMPIA, WA — Premera Blue Cross, the largest health insurance company in the Northwest has settled a lawsuit over failing to fix known security problems that exposed personal information of more than 10.4 million consumers nationwide, including approximately 50,000 Utahns to a hacker.

Utah Attorney General Sean D. Reyes and 29 other attorneys general filed a settlement today that requires Premera Blue Cross to pay $10 million total to states, over its insufficient data security and failure to secure the consumer data, including protected health and personal information.

A nearly year-long investigation focused on Premera’s cybersecurity vulnerabilities that gave a hacker unrestricted access to the data for almost a year. Under the settlement, Premera will:

  • Pay a total of $10 million to states.  (Premera settled a class action lawsuit for $74 million earlier this year.)
  • The company is also required to implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the attorneys general.
  • Premera’s $10 million payment to the states is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon but not yet finalized by the court.

“This was clearly a violation of Federal and Utah privacy laws and is simply unacceptable,” said Utah Attorney General Sean D. Reyes.  “Even worse, but the company knew about the deficient data security for nearly a year and didn’t take necessary measures to fix it.  Consumers deserve much, much better.”

The complaint asserts that the company failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and the Utah Protection of Personal Information Act (UPPIA) by not addressing known cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information for almost a year.

From May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

The hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.

The complaint asserts that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.

Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer’s sensitive data vulnerable to hackers for nearly a year.

Today’s settlement also requires Premera to:

  • Ensure its data security program protects personal health information as required by law
  • Regularly assess and update its security measures
  • Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington State Attorney General’s Office
  • Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance and will be responsible for implementing, maintaining and monitoring the company’s security program.
  • Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.

Today’s multistate settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.

A copy of the settlement can be viewed here.


Protecting Utah Consumers: Wells Fargo Settlement

January 1, 2019

On Friday, Wells Fargo agreed to pay $575 million after investigations and lawsuits from all 50 states and the District of Columbia for account fraud and other illegal business practices. Utah will receive $10 million.

Investigations started in 2016 after Wells Fargo admitted employees opened over 3.5 million fraudulent bank accounts in consumers’ names, without their knowledge or consent. Further investigation revealed improper practices involving insurance, auto loans, financing, and mortgages.

The Utah Attorney General’s Office worked alongside the Division of Consumer Protection and 49 other attorneys general to reach an appropriate settlement. From the press release:

“To date, this settlement represents the most significant engagement involving a national bank by state attorneys general acting without a federal law enforcement partner.”

Utah Attorney General Sean Reyes stated, “We appreciate the efforts Wells Fargo has made to address these important consumer issues. We all share the same goal: to enjoy a strong economy where consumers’ privacy, choices, and funds are protected. To this end, the Division of Consumer Protection, our assistant AG’s and sister-state Attorneys General acted with vigilance and I am grateful for their hard work.”

This settlement agreement follows previous settlements and fines paid by Wells Fargo. “This agreement underscores our serious commitment to making things right in regard to past issues as we work to build a better bank,” said Tim Sloan, Chief Executive Officer and President of Wells Fargo, in Wells Fargo’s press release.

The $10 million that Utah receives will go to the Division of Consumer Protection Education Fund.

Read more:

Press release: Utah Division of Consumer Protection to receive $10M in multi-state settlement

The settlement agreement (82-page PDF)

Salt Lake Tribune: Wells Fargo pays $575 million to settle state investigations over fake accounts and other shady practices; $10 million will go to Utah

Deseret News: Wells Fargo pays $575 million to settle state investigations

New York Times: Wells Fargo Agrees to Pay $575 Million to Resolve State Investigations




Photo by Mike Mozart

Uber to pay $148 million in multi-state settlement

September 26, 2018


Uber agrees to strengthen security practices after data breach

SALT LAKE CITY – Today, Attorney General Sean Reyes and Utah Department of Commerce Executive Director Francine Giani jointly announced that Utah would receive nearly $900,000 from Uber Technologies, Inc. (Uber) in a settlement agreement over a one-year delay in reporting a data breach to affected drivers. Uber will pay Utah, the other 49 states, and the District of Columbia a total of $148 million in addition to strengthening its corporate governance and data security practices to prevent similar occurrences in the future.

Uber learned in November 2016 that hackers gained access to personal information involving the ride-sharer’s drivers, including drivers’ license information.  The data breach involved approximately 600,000 drivers nationwide, about 2,500 from Utah. Uber tracked down the hackers and obtained assurances that the hackers deleted the information. Utah’s law requires Uber to notify affected Utah residents, but Uber failed to report the breach until November 2017.

Attorney General Reyes stated, “I’m a fan of Uber, but that doesn’t keep us from doing our job. Protecting Utahns, their data, and identities is one of the top priorities of my office. Working with the Utah Department of Commerce and colleagues from other states, we were able to achieve a fair resolution without protracted litigation.” Deputy Attorney General David Sonnenreich added, “prompt reporting of data breaches is important so that victims have the information they need to better protect themselves from identity theft.” 

“Sadly data breaches have become a constant headline in our highly connected lives,” said Francine Giani, Executive Director for the Utah Department of Commerce. “We hope Uber’s case sends a message to the business community to be swift in alerting the public when consumer information is compromised.  The Department of Commerce is grateful for the partnership with the Attorney Generals’ Office in settling Utah’s claim.”

The settlement requires Uber to: 1) comply with Utah data breach and consumer protection law about Utah residents’ personal information and notifications in the event of a data breach; 2) take precautions to protect any user data Uber stores on third-party platforms outside of Uber; 3) use strong password policies for its employees to gain access to the Uber network; 4) develop and implement a strong data security policy for all data that Uber collects about its users, assess potential risks to the security of the data, and implement additional security measures beyond what Uber is doing to protect the data; 5) hire an outside qualified party to assess Uber’s data security efforts on a regular basis and draft a report with recommended security improvements, and 6) develop and implement a corporate integrity program to ensure that ethics concerns brought by Uber employees about other employees will be heard.

Utah joins the other 49 states and the District of Columbia in this multistate agreement with Uber.

# # #


  1. You can find a copy of the Complaint, Proposed Judgment, and additional court documents here:


Photo by Antonio DiCaterina