STATE OF TEXAS, ¤ IN THE DISTRICT COURT
¤ LIBERTY COUNTY, TEXAS
CVS PHARMACY, INC., Defendant ¤ ¤ 253RD JUDICIAL DISTRICT
On this the ~ay of ~, 2008, came before this court, Plaintiff, STATE OF TEXAS and Defendant, CVS Pharmacy, Inc. ("CVS"), in the above entitled and numbered cause. The STATE OF TEXAS, by and through Texas Attorney General GREG ABBOTT, and Defendant, by and through its attorney of record, announced to the Court that all matters of fact and things in controversy between them had been fully and finally compromised and settled and presented to the Court this Agreed Final Judgment and Permanent Injunction ("Judgment"). By their duly authorized signatures, the parties stipulated to the Court the following: that they understand the terms of this Judgment; that they agree to the terms of this Judgment; that they have waived all rights of appeal from this Judgment; that they actively participated in the negotiations leading up to this Judgment and are aware of the duties placed upon them by it and are desirous and capable of carrying out those duties in full; that they acknowledge receipt of copies of this Judgment and have full and actual notice of the terms of this Judgment; that the issuance and service of a writ of injunction are waived; that the terms of this Judgment are sufficiently detailed and specific to be enforceable by the Court in conformance with Tex.R.Civ.P. 683; that this Judgment represents a compromise and settlement of all matters arising out of facts alleged by the STATE OF TEXAS in this cause.
Pursuant to the agreement, the parties submit to the jurisdiction of the Court and do not contest the entry ofthis Judgment.
CVS, desiring to resolve the Attorney General's concerns without trial or adjudication of any issue of fact or law, has consented to entry of this Judgment, which is not an admission of liability by CVS as to any issue of fact or law.
It appearing to the Court that all parties agree to the entry of this Judgment and that they have approved its entry by their duly authorized signatures and the signature of their respective attorneys below, the Court, upon the stipulations of the parties and after being fully advised in this matter, finds as follows:A. THAT it has jurisdiction ofthe parties and subject matter ofthis suit; B. THAT the settlement ofthis dispute is fair, reasonable, and just; and C. THAT it would be in the best interests of the parties if the Court approved the settlement and rendered judgment accordingly.
Based on these findings, and having heard and considered the representations made by the parties, the Court is of the opinion that a permanent injunction should be issued as granted in this Judgment and that plaintiff STATE OF TEXAS is entitled to recover of and from Defendant CVS as set forth below.
For purposes ofthis Judgment, these words are defined as follows:
Date of birth, (2)
Social security number or other government-issued identification number; (3)
Mother's maiden name; (4)
Unique biometric data, including the individual's fingerprint, voice print, and retina or iris image; (5)
Unique electronic identification number, address, or routing code; (6)
Telecommunication access device, including debit and credit card information; or (7)
Financial institution account number or any other financial information.
B. "Sensitive personal information" means:
An individual's first name or first initial and last name in combination with anyone or more of the following items, if the name and the items are not encrypted: (a)
Social security number; (b)
Driver's license number or government-issued identification number; or (c)
Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; and (2)
Does not include publicly available information that is lawfully made available to the general public from the federal government or a state or local government.
C. "Management team" means all employees of Defendant whose positions involve a supervisory capacity, including, but not limited to the present titles of Regional Manager, District Manager, Store Manager, Pharmacy Supervisor, and Pharmacy Team Leader. D. "Person" means an individual, partnership, corporation, or entity of any kind. E. "Stores" means all pharmacy and retail sites owned and operated by Defendant in Texas. F. "Privacy protection laws" includes but is not limited to Tex. Bus. & Com. Code Ann. ¤ 35.48 (hereinafter "Section 35.48") and Chapter 48 of the Tex. Bus. & Com. Code Ann. ¤ 48.001, et seq. (hereinafter "Identity Theft Enforcement and Protection Act"). INJUNCTIVE RELIEF
It is hereby ordered, adjudged and decreed that CVS, and CVS's officers, agents, servants, employees and any other persons or entities in active concert or participation with CVS, shall be permanently enjoined from disposing of records that contain personal identifying information or sensitive personal information unless:A. CVS modifies such records by shredding, erasing, or by some other means that makes the personal identifying information or sensitive personal information unreadable or undecipherable; or B. CVS contracts with a person engaged in the business of disposing of records for the modification of personal identifying information or sensitive personal information contained therein, by shredding, erasing, or by other means, to make it unreadable or undecipherable.
IT IS FURTHER ORDERED that CVS shall amend its information security programs, including its current Blue Bag confidential waste disposal program, to protect and safeguard from unlawful use, disposal or disclosure any personal identifying information or sensitive personal information of a customer (hereafter, "Personal Information") collected or maintained by its Texas stores in the regular course of business. Such information security program (hereafter, "Program") shall protect and safeguard Personal Information and at a minimum, must include the elements set forth in the following paragraphs 9 through 17 below.COMPLIANCE REPRESENTATIVE
CVS shall designate a qualified corporate based employee to serve as CVS's Compliance Representative, who shall be responsible for assuring compliance with CVS's Program and, more generally, for overseeing efforts to comply with the terms of this Judgment and privacy protection laws. For a period of five (5) years after entry of this Judgment, the duties of the Compliance Representative shall include oversight ofthe following:
Within sixty (60) days after entry of this Judgment, CVS shall adopt and commence implementation of the Program, which will be fully documented in writing and contain administrative, technical, and physical safeguards appropriate to CVS's operations and activities and the sensitivity ofthe information collected from or about customers.
A. That their compliance with the Program and their region, district or store's compliance with the Program may be taken into account in connection with compensation, promotion, and retention decisions; B. That Defendant will monitor store and individual employee compliance with the Program; C. That failure to comply with the Program and privacy protection laws may constitute grounds for termination; and D. That training regarding the Program will be provided to all employees on or before a specific date. RECORD MODIFICATION
When disposing of records in Texas that contain Personal Information, CVS will either modify such records by shredding, erasing, or by some other means that makes the Personal Information unreadable or undecipherable or contract with a person engaged in the business of disposing of records for the modification of Personal Information by shredding, erasing, or by other means, to make it unreadable or undecipherable. Records containing Personal Information that are pending modification must be placed in secured locked containers, maintained in a secured area, or otherwise be stored securely to prevent the unlawful use, dissemination, or disposal of such records. If CVS elects to contract with a third party provider, then the third party provider must provide certification to CVS that all Personal Information has been shredded, erased, or otherwise modified rendering it unreadable or undecipherable. CVS shall maintain records identifying the specific third party provider that services each of its Texas stores. Cv S shall either require the third party provider to maintain in its records the required certifications for a minimum period of six months or shall maintain the required certifications in its files for a minimum period of six months.EMPLOYEE TRAINING
Cv S's Program shall include the following employee training elements:A. A review of the Program and of any other ofeYS's policies and practices relating to the protection and disposal of records containing Personal Information along with the disclosure that compliance with the Program and any related policies and practices will be taken into account in connection with performance reviews and disciplinary decisions up to and including termination; B. An explanation of identity theft, its cost to individual consumers and businesses and thus, the importance of abiding by the Program and any related policies and practices;
e. A review of the privacy protection laws applicable to the proper safeguarding and disposal of Personal Information; D.
The name and telephone number and/or e-mail address of the corporate based employee or third party vendor to whom employees can anonymously report any failures to comply with the Program; and E.
Written or electronic acknowledgement that each employee has completed the
Program training and understands how to comply with the Program. The requirements of paragraph 13 shall remain in effect for a period of five (5) years after entry of this Judgment. Thereafter, Cv'S may elect to modify the training elements required by this paragraph. In that event, Cv'S shall maintain and make available to the Attorney General, upon
request, documents which (A) describe in detail CYS's training program; (B) explain how that program serves to assure compliance with privacy protection laws; and (C) demonstrate that its Texas employees have completed such training and understand how to comply with CYS's program. TRAINING SCHEDULE
Within one hundred and twenty (120) days after entry of this Judgment, CYS shall provide all current Texas store personnel with the training described in the preceding paragraph
CVS shall provide this same training to new employees within sixty (60) days of the employee's first date of employment and this training may be incorporated into new hire training or orientation. CYS shall provide all its employees with additional, periodic training at least annually to ensure they maintain the requisite knowledge, skill, and motivation regarding compliance with the Program.CORPORATE DOCUMENTATION OF TRAINING
For a period of five (5) years after entry of this Judgment, CYS shall on the anniversary date .of its entry forward to the Office of the Attorney General a sworn statement signed by the Compliance Representative certifying that CYS's Texas store personnel have completed the training program described in paragraphs 13 and 14.POSTED NOTICES REQUIRED
CYS shall post and maintain signs in each of its Texas stores that clearly and conspicuously disclose to all front store and pharmacy employees the procedure to be used to properly dispose of records containing Personal Information.
CVS agrees that at least once every six months it will randomly select and visit a
A. CVS has fulfilled its obligation to conduct compliance checks required by this paragraph; B. its compliance checks conducted in years 4 and 5 demonstrate that CVS employees in Texas are in compliance with the terms ofthis judgment; and C. CVS has received no confirmed reports or information reflecting that its employees have failed to safeguard personal information, including disposing of documents with Personal Information without first modifying the records by shredding, erasing or by some other means making the Personal Information unreadable or undecipherable. INSPECTION AND REVIEW OF THE PROGRAM
CVS shall make available for inspection and review a copy of the Program to the
POTENTIAL CONFLICTS OF LAW
To the extent that the terms of this Judgment conflict with any Texas, local or federal law or regulation which now exists or is later enacted or amended, such law and not this Judgment shall apply where such conflict exists. For purposes of this Judgment, a conflict exists if conduct prohibited by this Judgment is required or permitted by such Texas, local, or federal law or regulation, or if such conduct required by this Judgment is prohibited by such Texas, local, or federal law or regulation.MODIFICATION
In the event that CVS concludes, based on changed circumstances, that the terms of this Judgment unfairly restrict its business practices, then CVS may submit a written request to the Attorney General seeking to modify the injunctive terms of this Judgment including requesting that any or all of CVS's obligations under the injunctive terms cease. The Attorney General shall make a good faith evaluation of CVS's request and shall respond to the request within ninety (90) days of receipt of such request. If the Attorney General denies CVS's requested modification, ,CVS may in accordance with the Texas Rules of Civil Procedure petition the Court for modification ofthe terms and conditions ofthis Judgment.ENFORCEMENT
If the Attorney General has reason to believe that CVS has failed to comply with any of the terms of this Judgment, the Attorney General will notify CVS in writing of such failure to comply and CVS shall then have fifteen (15) business days from receipt of such written notice to provide a good faith written response to the Attorney General's notification. The response shall
A. A statement explaining why CVS believes it is in full compliance with the
Judgment; or B. A detailed explanation of how the alleged violation(s) occurred; and a statement that the alleged breach has been cured and a description of the action taken by CVS to cure the breach; or C. A statement that the alleged breach cannot be reasonably cured within fifteen (15) business days from receipt of the notice, but (a) CVS has begun to take corrective action to cure the alleged breach; (b) CVS is pursuing such corrective action with reasonable and due diligence; and (c) CVS has provided the Attorney General with a detailed and reasonable time table for curing the alleged breach.
Nothing herein shall prevent the Attorney General from agreeing to provide CVS with additional time beyond the fifteen (15) business day period to respond to the notice. Nothing in this paragraph 21 shall be construed to limit the authority or discretion of the Attorney General to act in the public interest to enforce applicable state laws. MONETARY PAYMENT
Within thirty (30) days of the entry of this Agreed Final Judgment and Permanent Injunction, CVS shall pay to the State ofTexas the sum of $315,000, which includes $40,000 for attorneys' fees and costs. The remainder, $275,000, is to be deposited in the general revenue fund and may, as provided by Ch. 48.201 be appropriated only for the investigation and prosecution of cases under the Identity Theft Enforcement and Protection Act.
Such payment shall be made in the form of a certified check or wire transfer made payable to the Office of the Attorney General of Texas, bearing the Attorney General number #072443310 and shall be delivered to the Office of the Attorney General, Consumer Protection and Public Health Division, 300 W. 15th St., 9th Floor, Austin, Texas 78701, Attention: Janie Salazar.
All costs of court expended or incurred in this cause shall be paid by the party incurring
The Judgment is a complete settlement and release of all claims under Section 35.48 and the Identity Theft Enforcement and Protection Act, Ch. 48 relating to or alleging that CVS unlawfully disposed of records containing Personal Information that have been or could have been brought based upon acts, practices or courses of conduct that have occurred through the date of this Judgment. Nothing in this paragraph shall be deemed to preclude the Office of the Attorney General's review of acts, practices or courses of conduct that occur after the entry of this Judgment.MISCELLANEOUS
Legal Exposure -This Judgment is not intended to grant or limit any legal rights or remedies of any nature to any third party.
Notices -All notices required by this Judgment shall be sent by certified or registered
mail, return receipt requested, postage prepaid or by hand delivery to:
If to the Attorney General:
Roberta H. Nordstrom
Assistant Attorney General
John Owens, Deputy Chief
Consumer Protection and Public Health Division
Office ofthe Attorney General
808 Travis, Suite 300 Hou~0~Texas77002
Telephone: (713) 223-5886
D. Esther Chavez, Deputy Chief
Consumer Protection and Public Health Division
300 W. 15th Street
Austin, Texas 78701
Telephone: (512) 475-4628 If to CVS Pharmacy, Inc.:
Edward D. Burbach
Gardere Wynne Sewell LLP
600 Congress Avenue, Suite 3000
Austin, Texas 78701
Telephone: (512) 542-7003 AND
Christine L. Egan
Assistant General Counsel HealthCare Regulatory and
Intellectual Property Practice Privacy and Security Official
One CVS Drive
Woonsocket RI 02895
Retention of Jurisdiction -Jurisdiction is retained for the purpose of enabling any party
After signing by the Court, this agreement constitutes a final judgment.
All relief not expressly granted herein is denied.
SIGNED on ovt~ ~ ,S;-,2008,
AGREED AS TO FORM AND TO SUBSTANCE:
ON BEHALF OF THE STATE OF TEXAS BY:
OBERTA H NORDSTROM State Bar No. 24036801 JOHN OWENS State Bar. No. 15379200 Assistant Attorneys General Office ofthe Attorney General Consumer Protection and Public Health Division 808 Travis, Suite 300 Houston, Texas 77002
223-5886 -Telephone (713)
223-5821 -Facsimile D.
ESTHER CHAVEZ State Bar No. 04162200 C.
BRAD SCHUELKE State Bar No. 24008000 Assistant Attorneys General Office of the Attorney General Consumer Protection and Public Health Division 300 W. 15th Street Austin, Texas 78701
475-4628 -Telephone (512)
ATTORNEYS FOR THE STATE OF TEXAS
AGREED AS TO FORM AND TO SUBSTANCE: CVS PHARMACY, INC.
By: Christine L. Eg Assistant General Counsel HealthCare Regulatory and Intellectual Property Practice Privacy and Security Official
16 of 16