Preview
CAUSE NO. ________________
IN THE MATTER OF IN THE DISTRICT COURT
STATE OF TEXAS
and TRAVIS COUNTY, TEXAS
ANTHEM, INC.
Respondent _______ JUDICIAL DISTRICT
PETITIONAND MOTIONFOR APPROVAL AND ENTRY OF
ASSURANCE OF VOLUNTARY COMPLIANCE
TO THE HONORABLE JUDGE OF SAID COURT:
COMES NOW the STATE OF TEXAS acting by and through the Attorney General of
Texas, Ken Paxton, and in accordance with the requirements of the Texas Deceptive Trade
Practices - Consumer Protection Act, ODE 17.58, respectfully files this
petition asking the Court to review and approve the attached Assurance of Voluntary Compliance.
As evidenced by their signatures, the Assurance is agreed to by the respective parties.
Respectfully submitted,
KEN PAXTON
Attorney General of Texas
JEFFREY C. MATEER
First Assistant Attorney General
RYAN L. BANGERT
Deputy First Assistant Attorney General
DARREN L. MCCARTY
Deputy Attorney General for Civil Litigation
JENNIFER S. JACKSON
Chief, Consumer Protection Division
In the Matter of State of Texas and Anthem, Inc.
Petition and Motion for Approval and Entry of Agreed Assurance of Voluntary Compliance – Page 1 of 2
CAUSE NO. ________________
IN THE MATTER OF IN THE DISTRICT COURT
STATE OF TEXAS
and TRAVIS COUNTY, TEXAS
ANTHEM, INC.,
Respondent _______ JUDICIAL DISTRICT
ASSURANCE OF VOLUNTARY COMPLIANCE
This Assurance of Voluntary Compliance (“Assurance”) is entered into by the Attorneys
General of Alaska, Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Delaware,
Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine,
Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nebraska, New
Hampshire, New Jersey, New York, Nevada, North Carolina, North Dakota, Ohio, Oklahoma,
Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington,
West Virginia, and Wisconsin (collectively, “Attorneys General”) and Anthem, Inc. (“Anthem”)
to resolve the Attorneys General’s investigation into the criminal cyberattack on Anthem’s
systems, which Anthem publicly announced on February 4, 2015 (collectively, the “Parties”).
In consideration of their mutual agreements to the terms of this Assurance, and such other
consideration as described herein, the sufficiency of which is hereby acknowledged, the Parties
hereby agree as follows:
I. INTRODUCTION
This Assurance of Voluntary Compliance shall, for all necessary purposes, also be considered an Assurance of
Discontinuance.
The State of California has simultaneously entered into a settlement with Anthem in a form consistent with California
law.
This Assurance constitutes a good faith settlement and release between Anthem and the
Attorneys General of claims under state law and the federal Health Insurance Portability and
Accountability Act of 1996, Public Law 104 and its implementing regulations, 45 C.F.R. §§
160, 162, and 164 (“HIPAA”) related to a data breach, publicly announced by Anthem on February
4, 2015, in which a criminal cyber attacker gained unauthorized access to its network and
infiltrated an internally hosted enterprise data warehouse, which contained the personal
information (“PI”) and/or protected health information (“PHI”) of Anthem plan members and other
individuals (the “Data Breach”). Anthem discovered the unauthorized access that caused the Data
Breach on or about January 29, 2015. The Data Breach affected approximately 78,800,000
individuals nationwide. The information accessed in unencrypted form by the cyber attacker
included names, dates of birth, Social Security numbers, healthcare identification numbers, home
addresses, email addresses, phone numbers, and employment information, including income data.
II. DEFINITIONS
For purposes of this Assurance, the following definitions shall apply:
A. “Anthem” shall mean Anthem, Inc., its wholly owned, integrated, and
operated affiliates, subsidiaries, and divisions, successors, and assigns,
directors and officers, and employees doing business in the United States.
B. “Anthem Network” shall mean the networking equipment, databases or data
stores, applications, servers, and endpoints that are capable of using and
sharing software, data, and hardware resources and that are owned and/or
operated by Anthem.
C. “Business Associate” shall be defined in accordance with 45 C.F.R. §
160.103 and is a person or entity that provides certain services to or
performs functions on behalf of covered entities, or other business
associates of covered entities, that require access to PHI.
D. “Consumer Protection Acts” shall mean the State citations listed in
Appendix A.
E. “Covered Entity” shall be defined in accordance with 45 C.F.R. § 160.103
as a health plan, health care clearinghouse, or health care provider that
transmits protected health information in electronic form in connection with
a transaction for which the U.S. Department of Health and Human Services
has adopted standards.
F. “Covered Systems” shall mean components, such as servers, workstations,
and devices, within the Anthem Network that are routinely used to collect,
process, communicate, and/or store PI and/or PHI.
G. ata Breach” shall mean the security incident discovered by Anthem on
or about January 29, 2015, and publicly announced on February 4, 2015, in
which a malicious cyber attacker gained unauthorized access to portions of
the Anthem Network that stored PI and/or PHI, and which impacted
approximately 78,800,000 individuals nationwide.
H. “Data Breach Notification Law” shall mean the State citations listed in
Appendix B.
I. “Effective Date” shall be October 30, 2020.
J. “Encrypt,” “Encrypted,” or “Encryption” shall refer to the transformation
of data at rest or in transit into a form in which meaning cannot be assigned
without the use of a confidential process or key. The manner of Encryption
shall conform to existing industry standard.
K. “Minimum Necessary Standard” shall refer to the requirements of the
Privacy Rule that, when using or disclosing Protected Health Information
or when requesting Protected Health Information from another Covered
Entity or Business Associate, a Covered Entity or Business Associate must
make reasonable efforts to limit Protected Health Information to the
minimum necessary to accomplish the intended purpose of the use,
disclosure, or request as defined in 45 C.F.R. § 164.502(b) and §
164.514(d).
L. “Multi factor Authentication” means authentication through verification of
at least two of the following authentication factors: (i) knowledge factors,
such as a password; or (ii) possession factors, such as a token, connection
through a known authenticated source, or a text message on a mobile phone;
or (iii) inherent factors, such as biometric characteristics.
M. “Personal Information” or “PI” shall mean the data elements in the
definition of personal information set forth in the Data Breach Notification
Law and/or Personal Information Protection Act listed in Appendix B.
N. “Personal Information Protection Act” shall mean the State citations listed
in Appendix B.
For the purposes of this Assurance, the term “existing industry standard” applies to what the standard may become
as the industry changes over time. As of the Effective Date, the existing industry standard shall be defined pursuant
to Federal Information Processing Standards Publication 140
O. “Privacy Rule” shall refer to the HIPAA Regulations that establish national
standards for safeguarding individuals’ medical records and other Protected
Health Information, including electronic PHI, that is created, received, used,
or maintained by a Covered Entity or a Business Associate, specifically 45
C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E.
P. “Protected Health Information” or “PHI” shall be defined in accordance
with 45 C.F.R. § 160.103, including electronic protected health information.
Q. “Security Event” shall mean any compromise that (i) results in the
unauthorized access, acquisition, or exfiltration of electronic PI or PHI
collected, processed, transmitted, stored, or disposed of by Anthem, or (ii)
causes lack of enterprise availability of electronic PI or PHI of at least 500
U.S. consumers held, processed, or stored by Anthem.
R. “Security Rule” shall refer to the HIPAA Regulations that establish national
standards to safeguard individuals’ electronic Protected Health Information
that is created, received, used, or maintained by a Covered Entity or
Business Associate that performs certain services on behalf of the Covered
Entity, specifically 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A
and C.
III. ASSURANCES
A. Compliance with State and Federal Law
Anthem shall not misrepresent the extent to which Anthem maintains and protects
the privacy, security, or confidentiality of any PI or PHI collected from or about consumers.
If a Security Event does not trigger the Data Breach Notification Law, Anthem shall
create a report that includes a description of the Security Event and Anthem’s response to that
Security Event (“Security Event Report”). The Security Event Report shall be made available for
inspection by the Third Party Security Assessor as described in Paragraph 27.
B. Information Security Program
Anthem shall develop, implement, and maintain a written information security
program (“Information Security Program”) that is reasonably designed to protect the security,
integrity, and confidentiality of PI and PHI that Anthem collects, stores, transmits, maintains,
and/or destroys. The Information Security Program shall, at a minimum, include the specific
information security requirements set forth in Paragraphs 5 through 25 of this Assurance.
The Information Security Program shall comply with any applicable
requirements under state or federal law, and shall contain administrative, technical, and physical
safeguards appropriate to: (i) the size and complexity of Anthem’s operations; (ii) the nature and
scope of Anthem’s activities; and (iii) the sensitivity of the PI and PHI that Anthem collects, stores,
transmits and/or maintains.
The Information Security Program shall be written and modified to allow
access to PHI consistent with the Minimum Necessary Standard. Anthem shall consider and adopt
where reasonably feasible the principles of zero trust architecture throughout the Anthem Network.
As used herein, zero trust architecture means Anthem will:
Regularly monitor, log, and inspect network traffic, including log
in attempts, through the implementation of hardware, software, or procedural mechanisms that
record and evaluate such activity;
Authorize and authenticate relevant device, user, and network
activity within the Anthem Network; and
Require appropriate authorization and authentication prior to any
user’s access to the Anthem Network.
Anthem may satisfy the requirements of this Assurance, including the
implementation of the Information Security Program through the review, maintenance, and, if
necessary, updating of an existing information security program or existing safeguards, provided
that such existing program or safeguards meet the requirements set forth in this Assurance.
Anthem shall review not less than annually the Information Security
Program
Anthem shall employ an executive or officer who shall be responsible for
implementing, maintaining, and monitoring the Information Security Program (“Chief Information
Security Officer” or “CISO”). The CISO shall have the background and expertise in information
security appropriate to the level, size, and complexity of her/his role in implementing, maintaining,
and monitoring the Information Security Program.
The role of the CISO will include regular and direct reporting to the Chief
Executive Officer (“CEO”), Executive Staff, and Board of Directors concerning Anthem’s security
posture, the security risks faced by Anthem, and the security implications of Anthem’s business
decisions. The CISO shall meet with and provide a report to: (1) the Board of Directors on at least
a semi annual basis and (2) the CEO on at least a quarterly basis. The CISO shall report to the
CEO within twenty four (24) hours of a confirmed Security Event impacting 500 or more
consumers residing in the United States. The CISO shall include such Security Events in its annual
report to the Board of Directors.
Anthem shall provide notice of the requirements of this Assurance to the
employees of Anthem’s Information Security organization and shall implement training on the
requirements of this Assurance to those employees. Anthem shall provide the training required
under this paragraph to such employees within ninety (90) days of the Effective Date of this
Assurance or prior to their starting their responsibilities for implementing, maintaining, or
monitoring the Information Security Program.
As part of its Information Security Program, Anthem shall develop,
implement, and maintain a written incident response plan to prepare for and respond to Security
Events. Anthem shall revise and update this response plan, as necessary, to adapt to any material
changes that affect the security of PI and PHI. Such a plan shall, at a minimum, identify and
describe the following phases: (i) Preparation; (ii)Detection and Analysis; (iii)Containment;
(iv) Notification and Coordination with Law Enforcement; (v) Eradication; (vi) Recovery; (vii)
Consumer and Regulator Notification and Remediation; and (viii) Post Incident Analysis.
Anthem shall budget such that its Information Security Program receives
the resources and support reasonably necessary to function as intended.
Anthem shall take reasonable efforts, using a reasonable and documented
risk based approach, to evaluate whether vendors that routinely handle PI or PHI have safeguards
in place to protect such information and that such vendors will notify Anthem promptly of any
potential compromise to the confidentiality, integrity, or availability of PI or PHI held, stored,
or processed by the vendors on behalf of Anthem.
C. Specific Information Security Requirements
Data Collection & Retention: Anthem shall develop, implement, and maintain
reasonable policies and procedures governing its collection, use, and retention of PI and PHI.
Anthem shall limit its use, disclosure of, and requests for PHI in accordance with the Minimum
Necessary Standard, and to fulfill all applicable regulatory, legal, and contractualobligations.
Segmentation: Anthem shall develop, implement, and maintain reasonable policies
and procedures designed to reasonably segment the Anthem Network. At a minimum, within
ninety (90) days, Anthem shall develop a timetable to implement:
mentation of its VOIP servers; and
segmentation of its development and production environments.
On a semiannual basis, Anthem will report to the Board of Directors regarding the implementation
timetable progress, as well as document any significant delays or revisions to the timetable.
Cyber Security Operations Center (“C SOC”): Anthem shall maintain the
existence and operation of its C SOC or a reasonably equivalent technology. The C SOC shall be
staffed continuously to provide comprehensive monitoring of servers and other technologies to
identify improper use of data, including PI and/or PHI. The C SOC’s analytic capabilities shall be
deployed to detect, analyze, and respond to potential and confirmed Security Events.
Logging & Monitoring: Anthem shall develop, implement, and maintain
reasonable policies and procedures designed to properly log and monitor the Anthem Network. At
a minimum:
Anthem shall employ tools, such as a Security Information and Event
Monitoring solution (“SIEM”) (or a reasonably equivalent technology), among others, to log and
monitor network traffic to detect and respond to Security Events.
Anthem shall take reasonable steps to properly configure, and regularly
update or maintain the SIEM (or a reasonably equivalent technology) used pursuant to subsection
(a) and shall take reasonable steps to adequately log system activity and identify potential Security
Events for review. Using the SIEM (or a reasonably equivalent technology), Anthem shall actively
review and analyze in real time the logs of system activity and take appropriate follow up with
respect to Security Events.
Anthem shall maintain logs in conformance with industry standards and all
applicable laws.
In addition to the requirements set forth in subparagraphs (a) through (c) of
this Paragraph, Anthem shall develop, implement, and maintain defined and specific policies and
procedures with respect to logging and monitoring of the internal data warehouse involved in the
Data Breach and any database (or set of databases) that collects, processes, transmits, and/or stores
PI and/or PHI of similar volume as the internal data warehouse involved in the Data Breach. At a
minimum:
Anthem shall deploy an appropriate database activity monitoring
tool or a reasonably equivalent technology in the internal data warehouse involved in the Data
Breach and any similar database (or set of databases) that Anthem uses to collect, process, transmit,
and/or store PI and/or PHI of similar volume as the internal data warehouse involved in the Data
Breach, to the extent it is commercially feasible.
The monitoring of such database(s) shall include commercially
reasonable query categories available in a database activity monitoring tool or reasonable
equivalent issued to the relevant database(s).
The monitoring of such database(s) shall be performed by
appropriately trained or experienced personnel.
Anthem shall create a formalized procedure to track Security Events and
alerts on privileged user queries on a regular basis and document identified issues and necessary
action items.
Antivirus Maintenance: Anthem shall implement and maintain current, up date
antivirus protection programs or a reasonably equivalent technology on the Anthem Network
components that require antivirus software, which shall be at the highest technical level available
within Anthem approved antivirus products that can be supported on such components, subject to
any reasonable and documented security exceptions.
Access Controls: Anthem shall implement and maintain appropriate controls to
manage access to and use of all accounts with access to PI or PHI, including individual accounts,
administrator accounts, service accounts, and vendor accounts. Such controls shall include a means
to regularly review access and access levels of users and remove network and remote access within
twenty four (24) hours of notification of termination for any employee whose employment has
ended or any non associate whose term has ended.
Authentication: Anthem shall implement and maintain reasonable policies and
procedures requiring the use of authentication in accordance with industry standards, where
commercially feasible, including as appropriate under industry standards, the use of strong
passwords, password rotation, and ensuring that stored passwords are protected from unauthorized
access.
Privileged Account Management: Anthem shall implement and maintain
reasonable controls to secure use of privileged credentials, such as through a Privileged Access
Management tool or reasonably equivalent technology that vaults and rotates elevated credentials
in places where privileged access credentials are required. Administrators shall be required to use
Multi factor Authentication or reasonably equivalent technology to gain access to their safe within
the vault to retrieve their credentials.
Remote Access/ Multi factor Authentication: Anthem shall require the use of
Multi factor Authentication or reasonably equivalent technology for end user remote access to the
Anthem Network that are servers. Additionally, Anthem will require during vendor security
assessments business record documentation that demonstrates the vendor deploys Multi factor
Authentication or reasonably equivalent technology for end user remote access to the Anthem
Network via any business business connection.
Encryption: Anthem shall develop, implement, maintain, regularly review, and
revise policies and procedures to Encrypt PI and PHI at rest and in transit as reasonable and
appropriate, and in accordance with applicable law.
Asset Inventory: Anthem shall develop, maintain, and regularly update a
reasonable inventory of the assets that primarily comprise the Anthem Network and assign
criticality ratings to such assets, as feasible.
Risk Assessments Anthem shall develop, implement, and maintain a risk
assessment program to identify, address, and, as appropriate, remediate risks affecting its Covered
Systems. At a minimum, Anthem shall have an annual risk assessment performed by an
independent third party. The assessment shall include assessment of all reasonably anticipated,
internal and external risks to the security, confidentiality, or availability of PI and PHI collected,
processed, transmitted, stored, or disposed of by Anthem, excluding legal documents and analyses
that Anthem reasonably asserts are exempt from disclosure under legally recognized privilege.
Such reports shall be maintained by the CISO and be made available for inspection by the Third
Party Assessor described in Paragraph 27 of this Assurance.
Vulnerability Management: Anthem shall commit to continuing its current
practices related to vulnerability scanning or a reasonably equivalent technology and remediation.
Penetration Testing: Anthem shall develop, implement, and maintain a
penetration testing program designed to identify, assess, and remediate security vulnerabilities
within the Anthem Network, which shall include annual external penetration tests or a reasonably
equivalent technology and appropriate remediation of vulnerabilities revealed by such testing.
Anthem shall develop, implement, and maintain an internal penetration testing program through
the use of its Adversary Simulation Team or a reasonably equivalent group, who shall perform
biannual internal penetration tests. The reports of such external and internal penetration tests shall
be maintained by the CISO for a period of not less than six (6) years and be made available for
inspection by the Third Party Assessor described in Paragraph 27 of this Assurance.
Email Filtering and Phishing Solutions: Anthem shall maintain email protection
and filtering solutions for all Anthem email accounts, including email SPAM, phishing attacks,
and anti malware or a reasonably equivalent technology.
Employee Training In addition to the requirements set forth in Paragraph 4(g)
above, Anthem shall conduct an initial training for all new employees and, on at least an annual
basis, train existing employees concerning its information privacy and security policies, the prope
handling and protection of PI and PHI, and disciplinary measures for violation, up to and including
termination. At a minimum:
Anthem’s new employee and annual training shall cover social engineering
schemes, such as phishing;
Anthem shall conduct annual mock phishing exercises and all employees
who fail must successfully complete additional training; and
Anthem shall document such trainings and the results of the mock phishing
exercises.
Network Sensors Anthem shall deploy network sensors or a reasonably equivalent
technology to detect attempts to communicate from the Anthem Network to known malicious IP
addresses.
Endpoint Detection and Response: Anthem will implement, maintain, and
monitor controls designed to provide real time notification of malicious systems modifications and
anomalous systems activity in the Covered Systems.
Intrusion Detection and Prevention Solution(s): Anthem shall develop,
implement, and maintain an intrusion detection and prevention solution to assist in detecting and
preventing unauthorized access to the Anthem Network.
Data Loss Prevention: Anthem shall develop, implement, and maintain a data loss
prevention technology or a reasonably equivalent technology to detect and prevent unauthorized
data exfiltration from the Anthem Network.
Whitelisting: Anthem shall implement and maintain controls designed to identify
applications permitted to be on the Covered Systems while blocking and/or preventing the
execution of unauthorized applications (i.e., applications not on the whitelist) on critical servers.
D. Information Security Program Assessment
Anthem shall obtain an initial and annual information security assessment of its
policies and practices pertaining to the collection, storage, maintenance, transmission, and disposal
of PI and PHI, from an independent third party professional (“Third Party Assessor”) within one
year of the Effective Date of this Assurance and then once a year thereafter for a total period of
three (3) years.
The Third Party Assessor must be an organization that employs at least one
individual to perform the assessment that is: (a) qualified as a Certified Information System
Security Professional (“CISSP”) or as a Certified Information Systems Auditor (“CISA”), or a
similar qualification; and (b) has at least five (5) years of experience evaluating the effectiveness
of computer systems or information system security.
Anthem may satisfy the initial assessment by providing a copy of the Assessment
Report performed for calendar year 2019 pursuant to the settlement of In re Anthem Inc. Data
Breach Litig., MDL 2617. For the remaining two assessments, the Third Party Assessor shall
review this Assurance and the Security Event Report, risk assessments, and penetration test reports
provided by Anthem as set forth in Paragraphs 3, 16, and 18, respectively. The Third Party
Assessor shall prepare a formal report (“Security Report”) that shall confirm Anthem’s
development, implementation, and maintenance of a written Information Security Program with
security controls and processes that meet the requirements of this Assurance related to:
segmentation, antivirus maintenance, access controls including privileged access management and
multi factor authentication, vulnerability scanning and remediation, logging and monitoring,
encryption, application whitelisting, e mail filtering, and information system activity review and
detection. The Security Report shall also confirm that Anthem has complied with the provisions
of this Assurance related to the employment of a CISO or equivalent officer, maintenance of a C
SOC facility, and performance of internal and external penetration tests and information security
training. In preparing each Security Report, the Third Party Assessor may rely on the Assessment
Report performed for calendar years 2020 and 2021 for In re Anthem Inc. Data Breach Litig.
MDL 2617, for security controls and processes addressed by both that Assessment Report and this
Assurance.
The Security Report shall be provided to the Connecticut Attorney General no later
than ten (10) days after its completion. Anthem will also provide the Risk Assessment, as set forth
in Paragraph 16, and a SOC 2 Type 2 Assessment, as referenced in Paragraph 31 to the Connecticut
Attorney General on an annual basis during the three year term.
Confidentiality: The Connecticut Attorney General’s Office shall, to the
extent permitted by state law, treat each Security Report as exempt from disclosure as applicable
under the relevant public records laws.
State Access: The Connecticut Attorney General’s Office may provid
copy of each Security Report to any other of the Attorneys General upon request, and each
requesting Attorney General shall, to the extent permitted by state law, treat such report as exempt
from disclosure as applicable under the relevant public records laws.
Upon receipt of each Security Report, Anthem will review and evaluate whether to
revise its current policies and procedures based on the findings of the Security Report. Within sixty
(60) days of Anthem’s receipt of each Security Report, Anthem shall forward to the Connecticut
Attorney General a description of any action they plan to take, or if no action is taken, a detailed
description why no action is necessary, in response to each Security Report.
E. Information Security Program Audit
nthem shall provide to the Connecticut Attorney General an annual SOC 2 Type
2 Assessment for calendar year 2019 and then once a year thereafter for a total period of three (3)
years. At a minimum, this Assessment shall include the trust service principles of Security and
Confidentiality.
IV. PAYMENT TO THE STATES
Anthem shall pay a total amount of Thirty Nine Million and Five Hundred
Thousand Dollars ($39,500,000.00). Said payment shall be divided and paid by Anthem directly
to each of the Attorneys General in an amount to be designated by the Attorneys General and
communicated to Anthem by the Connecticut Attorney General, along with instructions for such
payments. Payment shall be made in full within thirty (30) business days of the Effective Date
and receipt of payment instructions by Anthem from the Connecticut Attorney General, except
that where state law requires judicial or other approval of the Assurance, payment shall be made
no later than thirty (30) days after notice from the relevant Attorney General that such final
approval for the Assurance has been secured.
Of the total amount, Anthem shall pay $1,025,452.21 to the State of Texas.
Allocation of these funds shall be pursuant to the order entered by the court approving this
Assurance.
Also out of the total amount, as set forth in paragraph 32 above, Anthem will make
payment to the NAGTRI Endowment Fund maintained in trust by the National Association of
Attorneys General within thirty (30) days of the Effective Date, in an amount designated and
communicated to Anthem by the Connecticut Attorney General.
V. RELEASE AND EXPIRATION
Release: Following full payment of the amounts due by Anthem under this
Assurance, the Attorneys General shall release and discharge Anthem from all civil claims that the
Attorneys General could have brought under the Consumer Protection Acts, Personal Information
Protection Acts, Security Breach Notification Acts, HIPAA, and any common law claims
concerning unfair, deceptive, or fraudulent trade practices based on Anthem’s conduct related to
Payment to the State of California pursuant to its settlement with Anthem will be a portion of the total amount paid
as set forth in this Paragraph.
the Data Breach. Nothing contained in this paragraph shall be construed to limit the ability of the
Attorneys General to enforce the obligations that Anthem, its officers, subsidiaries, affiliates,
agents, representatives, employees, successors, and assigns, have under this Assurance. Further,
nothing in the Assurance shall be construed to create, waive, or limit any private right of action.
Notwithstanding any term of this Assurance, any and all of the following forms of
liability are specifically reserved and excluded from the release in Paragraph 35 as to any entity or
person, including Anthem:
Any criminal liability that any person or entity, including Anthem, has or
may have to the States.
Any civil or administrative liability that any person or entity, including
Anthem, has or may have to the States under any statute, regulation, or rule giving rise to any and
all of the following claims:
State or federal antitrust violations;
State or federal securities violations; or
iii. State or federal tax claims.
Expiration: The obligations and other provisions of this Assurance set forth in
Paragraphs 4(b), 6 13, 15, 17 19, and 21 25 shall expire at the conclusion of the five (5) year
period after the Effective Date of this Assurance. The obligations and other provisions of this
Assurance set forth in Paragraphs 14, 16, 20(a) (c), 47, and 48 shall expire at the conclusion of the
seven (7) year period after the Effective Date of the Assurance, unless they have expired at an
earlier date pursuant to their specific terms. Provided, however, that nothing in this Paragraph
shall be construed as excusing or exempting Anthem from complying with any state or federal
law, rule, or regulation, nor shall any of the provisions of this Assurance be deemed to authorize
or require Anthem to engage in any acts or practices prohibited by any law, rule, or regulation.
VI.GENERAL PROVISIONS
Meet and Confer: If any Attorney General determines that Anthem has failed to
comply with any of the terms of this Assurance, and if in the Attorney General’s sole discretion
the failure to comply does not threaten the health or safety of the Attorney General’s State and/or
does not create an emergency requiring immediate action, the Attorney General will notify Anthem
in writing of such failure to comply and Anthem shall have thirty (30) days from receipt of such
written notice to provide a good faith response to the Attorney General’s determination. The
response shall include: (A) a statement explaining why Anthem believes it is in full compliance
with this Assurance; or (B) a detailed explanation of how the alleged violation(s) occurred, and
either (i) a statement regarding whether the alleged violation(s) has been addressed and how, or
(ii) a statement regarding whether the alleged violation cannot be reasonably addressed within
Preview
CAUSE NO. ________________ IN THE MATTER OF IN THE DISTRICT COURT STATE OF TEXAS and TRAVIS COUNTY, TEXAS ANTHEM, INC. Respondent _______ JUDICIAL DISTRICT PETITIONAND MOTIONFOR APPROVAL AND ENTRY OF ASSURANCE OF VOLUNTARY COMPLIANCE TO THE HONORABLE JUDGE OF SAID COURT: COMES NOW the STATE OF TEXAS acting by and through the Attorney General of Texas, Ken Paxton, and in accordance with the requirements of the Texas Deceptive Trade Practices - Consumer Protection Act, ODE 17.58, respectfully files this petition asking the Court to review and approve the attached Assurance of Voluntary Compliance. As evidenced by their signatures, the Assurance is agreed to by the respective parties. Respectfully submitted, KEN PAXTON Attorney General of Texas JEFFREY C. MATEER First Assistant Attorney General RYAN L. BANGERT Deputy First Assistant Attorney General DARREN L. MCCARTY Deputy Attorney General for Civil Litigation JENNIFER S. JACKSON Chief, Consumer Protection Division In the Matter of State of Texas and Anthem, Inc. Petition and Motion for Approval and Entry of Agreed Assurance of Voluntary Compliance – Page 1 of 2 CAUSE NO. ________________ IN THE MATTER OF IN THE DISTRICT COURT STATE OF TEXAS and TRAVIS COUNTY, TEXAS ANTHEM, INC., Respondent _______ JUDICIAL DISTRICT ASSURANCE OF VOLUNTARY COMPLIANCE This Assurance of Voluntary Compliance (“Assurance”) is entered into by the Attorneys General of Alaska, Arizona, Arkansas, Colorado, Connecticut, the District of Columbia, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nebraska, New Hampshire, New Jersey, New York, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, Washington, West Virginia, and Wisconsin (collectively, “Attorneys General”) and Anthem, Inc. (“Anthem”) to resolve the Attorneys General’s investigation into the criminal cyberattack on Anthem’s systems, which Anthem publicly announced on February 4, 2015 (collectively, the “Parties”). In consideration of their mutual agreements to the terms of this Assurance, and such other consideration as described herein, the sufficiency of which is hereby acknowledged, the Parties hereby agree as follows: I. INTRODUCTION This Assurance of Voluntary Compliance shall, for all necessary purposes, also be considered an Assurance of Discontinuance. The State of California has simultaneously entered into a settlement with Anthem in a form consistent with California law. This Assurance constitutes a good faith settlement and release between Anthem and the Attorneys General of claims under state law and the federal Health Insurance Portability and Accountability Act of 1996, Public Law 104 and its implementing regulations, 45 C.F.R. §§ 160, 162, and 164 (“HIPAA”) related to a data breach, publicly announced by Anthem on February 4, 2015, in which a criminal cyber attacker gained unauthorized access to its network and infiltrated an internally hosted enterprise data warehouse, which contained the personal information (“PI”) and/or protected health information (“PHI”) of Anthem plan members and other individuals (the “Data Breach”). Anthem discovered the unauthorized access that caused the Data Breach on or about January 29, 2015. The Data Breach affected approximately 78,800,000 individuals nationwide. The information accessed in unencrypted form by the cyber attacker included names, dates of birth, Social Security numbers, healthcare identification numbers, home addresses, email addresses, phone numbers, and employment information, including income data. II. DEFINITIONS For purposes of this Assurance, the following definitions shall apply: A. “Anthem” shall mean Anthem, Inc., its wholly owned, integrated, and operated affiliates, subsidiaries, and divisions, successors, and assigns, directors and officers, and employees doing business in the United States. B. “Anthem Network” shall mean the networking equipment, databases or data stores, applications, servers, and endpoints that are capable of using and sharing software, data, and hardware resources and that are owned and/or operated by Anthem. C. “Business Associate” shall be defined in accordance with 45 C.F.R. § 160.103 and is a person or entity that provides certain services to or performs functions on behalf of covered entities, or other business associates of covered entities, that require access to PHI. D. “Consumer Protection Acts” shall mean the State citations listed in Appendix A. E. “Covered Entity” shall be defined in accordance with 45 C.F.R. § 160.103 as a health plan, health care clearinghouse, or health care provider that transmits protected health information in electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted standards. F. “Covered Systems” shall mean components, such as servers, workstations, and devices, within the Anthem Network that are routinely used to collect, process, communicate, and/or store PI and/or PHI. G. ata Breach” shall mean the security incident discovered by Anthem on or about January 29, 2015, and publicly announced on February 4, 2015, in which a malicious cyber attacker gained unauthorized access to portions of the Anthem Network that stored PI and/or PHI, and which impacted approximately 78,800,000 individuals nationwide. H. “Data Breach Notification Law” shall mean the State citations listed in Appendix B. I. “Effective Date” shall be October 30, 2020. J. “Encrypt,” “Encrypted,” or “Encryption” shall refer to the transformation of data at rest or in transit into a form in which meaning cannot be assigned without the use of a confidential process or key. The manner of Encryption shall conform to existing industry standard. K. “Minimum Necessary Standard” shall refer to the requirements of the Privacy Rule that, when using or disclosing Protected Health Information or when requesting Protected Health Information from another Covered Entity or Business Associate, a Covered Entity or Business Associate must make reasonable efforts to limit Protected Health Information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request as defined in 45 C.F.R. § 164.502(b) and § 164.514(d). L. “Multi factor Authentication” means authentication through verification of at least two of the following authentication factors: (i) knowledge factors, such as a password; or (ii) possession factors, such as a token, connection through a known authenticated source, or a text message on a mobile phone; or (iii) inherent factors, such as biometric characteristics. M. “Personal Information” or “PI” shall mean the data elements in the definition of personal information set forth in the Data Breach Notification Law and/or Personal Information Protection Act listed in Appendix B. N. “Personal Information Protection Act” shall mean the State citations listed in Appendix B. For the purposes of this Assurance, the term “existing industry standard” applies to what the standard may become as the industry changes over time. As of the Effective Date, the existing industry standard shall be defined pursuant to Federal Information Processing Standards Publication 140 O. “Privacy Rule” shall refer to the HIPAA Regulations that establish national standards for safeguarding individuals’ medical records and other Protected Health Information, including electronic PHI, that is created, received, used, or maintained by a Covered Entity or a Business Associate, specifically 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and E. P. “Protected Health Information” or “PHI” shall be defined in accordance with 45 C.F.R. § 160.103, including electronic protected health information. Q. “Security Event” shall mean any compromise that (i) results in the unauthorized access, acquisition, or exfiltration of electronic PI or PHI collected, processed, transmitted, stored, or disposed of by Anthem, or (ii) causes lack of enterprise availability of electronic PI or PHI of at least 500 U.S. consumers held, processed, or stored by Anthem. R. “Security Rule” shall refer to the HIPAA Regulations that establish national standards to safeguard individuals’ electronic Protected Health Information that is created, received, used, or maintained by a Covered Entity or Business Associate that performs certain services on behalf of the Covered Entity, specifically 45 C.F.R. Part 160 and 45 C.F.R. Part 164, Subparts A and C. III. ASSURANCES A. Compliance with State and Federal Law Anthem shall not misrepresent the extent to which Anthem maintains and protects the privacy, security, or confidentiality of any PI or PHI collected from or about consumers. If a Security Event does not trigger the Data Breach Notification Law, Anthem shall create a report that includes a description of the Security Event and Anthem’s response to that Security Event (“Security Event Report”). The Security Event Report shall be made available for inspection by the Third Party Security Assessor as described in Paragraph 27. B. Information Security Program Anthem shall develop, implement, and maintain a written information security program (“Information Security Program”) that is reasonably designed to protect the security, integrity, and confidentiality of PI and PHI that Anthem collects, stores, transmits, maintains, and/or destroys. The Information Security Program shall, at a minimum, include the specific information security requirements set forth in Paragraphs 5 through 25 of this Assurance. The Information Security Program shall comply with any applicable requirements under state or federal law, and shall contain administrative, technical, and physical safeguards appropriate to: (i) the size and complexity of Anthem’s operations; (ii) the nature and scope of Anthem’s activities; and (iii) the sensitivity of the PI and PHI that Anthem collects, stores, transmits and/or maintains. The Information Security Program shall be written and modified to allow access to PHI consistent with the Minimum Necessary Standard. Anthem shall consider and adopt where reasonably feasible the principles of zero trust architecture throughout the Anthem Network. As used herein, zero trust architecture means Anthem will: Regularly monitor, log, and inspect network traffic, including log in attempts, through the implementation of hardware, software, or procedural mechanisms that record and evaluate such activity; Authorize and authenticate relevant device, user, and network activity within the Anthem Network; and Require appropriate authorization and authentication prior to any user’s access to the Anthem Network. Anthem may satisfy the requirements of this Assurance, including the implementation of the Information Security Program through the review, maintenance, and, if necessary, updating of an existing information security program or existing safeguards, provided that such existing program or safeguards meet the requirements set forth in this Assurance. Anthem shall review not less than annually the Information Security Program Anthem shall employ an executive or officer who shall be responsible for implementing, maintaining, and monitoring the Information Security Program (“Chief Information Security Officer” or “CISO”). The CISO shall have the background and expertise in information security appropriate to the level, size, and complexity of her/his role in implementing, maintaining, and monitoring the Information Security Program. The role of the CISO will include regular and direct reporting to the Chief Executive Officer (“CEO”), Executive Staff, and Board of Directors concerning Anthem’s security posture, the security risks faced by Anthem, and the security implications of Anthem’s business decisions. The CISO shall meet with and provide a report to: (1) the Board of Directors on at least a semi annual basis and (2) the CEO on at least a quarterly basis. The CISO shall report to the CEO within twenty four (24) hours of a confirmed Security Event impacting 500 or more consumers residing in the United States. The CISO shall include such Security Events in its annual report to the Board of Directors. Anthem shall provide notice of the requirements of this Assurance to the employees of Anthem’s Information Security organization and shall implement training on the requirements of this Assurance to those employees. Anthem shall provide the training required under this paragraph to such employees within ninety (90) days of the Effective Date of this Assurance or prior to their starting their responsibilities for implementing, maintaining, or monitoring the Information Security Program. As part of its Information Security Program, Anthem shall develop, implement, and maintain a written incident response plan to prepare for and respond to Security Events. Anthem shall revise and update this response plan, as necessary, to adapt to any material changes that affect the security of PI and PHI. Such a plan shall, at a minimum, identify and describe the following phases: (i) Preparation; (ii)Detection and Analysis; (iii)Containment; (iv) Notification and Coordination with Law Enforcement; (v) Eradication; (vi) Recovery; (vii) Consumer and Regulator Notification and Remediation; and (viii) Post Incident Analysis. Anthem shall budget such that its Information Security Program receives the resources and support reasonably necessary to function as intended. Anthem shall take reasonable efforts, using a reasonable and documented risk based approach, to evaluate whether vendors that routinely handle PI or PHI have safeguards in place to protect such information and that such vendors will notify Anthem promptly of any potential compromise to the confidentiality, integrity, or availability of PI or PHI held, stored, or processed by the vendors on behalf of Anthem. C. Specific Information Security Requirements Data Collection & Retention: Anthem shall develop, implement, and maintain reasonable policies and procedures governing its collection, use, and retention of PI and PHI. Anthem shall limit its use, disclosure of, and requests for PHI in accordance with the Minimum Necessary Standard, and to fulfill all applicable regulatory, legal, and contractualobligations. Segmentation: Anthem shall develop, implement, and maintain reasonable policies and procedures designed to reasonably segment the Anthem Network. At a minimum, within ninety (90) days, Anthem shall develop a timetable to implement: mentation of its VOIP servers; and segmentation of its development and production environments. On a semiannual basis, Anthem will report to the Board of Directors regarding the implementation timetable progress, as well as document any significant delays or revisions to the timetable. Cyber Security Operations Center (“C SOC”): Anthem shall maintain the existence and operation of its C SOC or a reasonably equivalent technology. The C SOC shall be staffed continuously to provide comprehensive monitoring of servers and other technologies to identify improper use of data, including PI and/or PHI. The C SOC’s analytic capabilities shall be deployed to detect, analyze, and respond to potential and confirmed Security Events. Logging & Monitoring: Anthem shall develop, implement, and maintain reasonable policies and procedures designed to properly log and monitor the Anthem Network. At a minimum: Anthem shall employ tools, such as a Security Information and Event Monitoring solution (“SIEM”) (or a reasonably equivalent technology), among others, to log and monitor network traffic to detect and respond to Security Events. Anthem shall take reasonable steps to properly configure, and regularly update or maintain the SIEM (or a reasonably equivalent technology) used pursuant to subsection (a) and shall take reasonable steps to adequately log system activity and identify potential Security Events for review. Using the SIEM (or a reasonably equivalent technology), Anthem shall actively review and analyze in real time the logs of system activity and take appropriate follow up with respect to Security Events. Anthem shall maintain logs in conformance with industry standards and all applicable laws. In addition to the requirements set forth in subparagraphs (a) through (c) of this Paragraph, Anthem shall develop, implement, and maintain defined and specific policies and procedures with respect to logging and monitoring of the internal data warehouse involved in the Data Breach and any database (or set of databases) that collects, processes, transmits, and/or stores PI and/or PHI of similar volume as the internal data warehouse involved in the Data Breach. At a minimum: Anthem shall deploy an appropriate database activity monitoring tool or a reasonably equivalent technology in the internal data warehouse involved in the Data Breach and any similar database (or set of databases) that Anthem uses to collect, process, transmit, and/or store PI and/or PHI of similar volume as the internal data warehouse involved in the Data Breach, to the extent it is commercially feasible. The monitoring of such database(s) shall include commercially reasonable query categories available in a database activity monitoring tool or reasonable equivalent issued to the relevant database(s). The monitoring of such database(s) shall be performed by appropriately trained or experienced personnel. Anthem shall create a formalized procedure to track Security Events and alerts on privileged user queries on a regular basis and document identified issues and necessary action items. Antivirus Maintenance: Anthem shall implement and maintain current, up date antivirus protection programs or a reasonably equivalent technology on the Anthem Network components that require antivirus software, which shall be at the highest technical level available within Anthem approved antivirus products that can be supported on such components, subject to any reasonable and documented security exceptions. Access Controls: Anthem shall implement and maintain appropriate controls to manage access to and use of all accounts with access to PI or PHI, including individual accounts, administrator accounts, service accounts, and vendor accounts. Such controls shall include a means to regularly review access and access levels of users and remove network and remote access within twenty four (24) hours of notification of termination for any employee whose employment has ended or any non associate whose term has ended. Authentication: Anthem shall implement and maintain reasonable policies and procedures requiring the use of authentication in accordance with industry standards, where commercially feasible, including as appropriate under industry standards, the use of strong passwords, password rotation, and ensuring that stored passwords are protected from unauthorized access. Privileged Account Management: Anthem shall implement and maintain reasonable controls to secure use of privileged credentials, such as through a Privileged Access Management tool or reasonably equivalent technology that vaults and rotates elevated credentials in places where privileged access credentials are required. Administrators shall be required to use Multi factor Authentication or reasonably equivalent technology to gain access to their safe within the vault to retrieve their credentials. Remote Access/ Multi factor Authentication: Anthem shall require the use of Multi factor Authentication or reasonably equivalent technology for end user remote access to the Anthem Network that are servers. Additionally, Anthem will require during vendor security assessments business record documentation that demonstrates the vendor deploys Multi factor Authentication or reasonably equivalent technology for end user remote access to the Anthem Network via any business business connection. Encryption: Anthem shall develop, implement, maintain, regularly review, and revise policies and procedures to Encrypt PI and PHI at rest and in transit as reasonable and appropriate, and in accordance with applicable law. Asset Inventory: Anthem shall develop, maintain, and regularly update a reasonable inventory of the assets that primarily comprise the Anthem Network and assign criticality ratings to such assets, as feasible. Risk Assessments Anthem shall develop, implement, and maintain a risk assessment program to identify, address, and, as appropriate, remediate risks affecting its Covered Systems. At a minimum, Anthem shall have an annual risk assessment performed by an independent third party. The assessment shall include assessment of all reasonably anticipated, internal and external risks to the security, confidentiality, or availability of PI and PHI collected, processed, transmitted, stored, or disposed of by Anthem, excluding legal documents and analyses that Anthem reasonably asserts are exempt from disclosure under legally recognized privilege. Such reports shall be maintained by the CISO and be made available for inspection by the Third Party Assessor described in Paragraph 27 of this Assurance. Vulnerability Management: Anthem shall commit to continuing its current practices related to vulnerability scanning or a reasonably equivalent technology and remediation. Penetration Testing: Anthem shall develop, implement, and maintain a penetration testing program designed to identify, assess, and remediate security vulnerabilities within the Anthem Network, which shall include annual external penetration tests or a reasonably equivalent technology and appropriate remediation of vulnerabilities revealed by such testing. Anthem shall develop, implement, and maintain an internal penetration testing program through the use of its Adversary Simulation Team or a reasonably equivalent group, who shall perform biannual internal penetration tests. The reports of such external and internal penetration tests shall be maintained by the CISO for a period of not less than six (6) years and be made available for inspection by the Third Party Assessor described in Paragraph 27 of this Assurance. Email Filtering and Phishing Solutions: Anthem shall maintain email protection and filtering solutions for all Anthem email accounts, including email SPAM, phishing attacks, and anti malware or a reasonably equivalent technology. Employee Training In addition to the requirements set forth in Paragraph 4(g) above, Anthem shall conduct an initial training for all new employees and, on at least an annual basis, train existing employees concerning its information privacy and security policies, the prope handling and protection of PI and PHI, and disciplinary measures for violation, up to and including termination. At a minimum: Anthem’s new employee and annual training shall cover social engineering schemes, such as phishing; Anthem shall conduct annual mock phishing exercises and all employees who fail must successfully complete additional training; and Anthem shall document such trainings and the results of the mock phishing exercises. Network Sensors Anthem shall deploy network sensors or a reasonably equivalent technology to detect attempts to communicate from the Anthem Network to known malicious IP addresses. Endpoint Detection and Response: Anthem will implement, maintain, and monitor controls designed to provide real time notification of malicious systems modifications and anomalous systems activity in the Covered Systems. Intrusion Detection and Prevention Solution(s): Anthem shall develop, implement, and maintain an intrusion detection and prevention solution to assist in detecting and preventing unauthorized access to the Anthem Network. Data Loss Prevention: Anthem shall develop, implement, and maintain a data loss prevention technology or a reasonably equivalent technology to detect and prevent unauthorized data exfiltration from the Anthem Network. Whitelisting: Anthem shall implement and maintain controls designed to identify applications permitted to be on the Covered Systems while blocking and/or preventing the execution of unauthorized applications (i.e., applications not on the whitelist) on critical servers. D. Information Security Program Assessment Anthem shall obtain an initial and annual information security assessment of its policies and practices pertaining to the collection, storage, maintenance, transmission, and disposal of PI and PHI, from an independent third party professional (“Third Party Assessor”) within one year of the Effective Date of this Assurance and then once a year thereafter for a total period of three (3) years. The Third Party Assessor must be an organization that employs at least one individual to perform the assessment that is: (a) qualified as a Certified Information System Security Professional (“CISSP”) or as a Certified Information Systems Auditor (“CISA”), or a similar qualification; and (b) has at least five (5) years of experience evaluating the effectiveness of computer systems or information system security. Anthem may satisfy the initial assessment by providing a copy of the Assessment Report performed for calendar year 2019 pursuant to the settlement of In re Anthem Inc. Data Breach Litig., MDL 2617. For the remaining two assessments, the Third Party Assessor shall review this Assurance and the Security Event Report, risk assessments, and penetration test reports provided by Anthem as set forth in Paragraphs 3, 16, and 18, respectively. The Third Party Assessor shall prepare a formal report (“Security Report”) that shall confirm Anthem’s development, implementation, and maintenance of a written Information Security Program with security controls and processes that meet the requirements of this Assurance related to: segmentation, antivirus maintenance, access controls including privileged access management and multi factor authentication, vulnerability scanning and remediation, logging and monitoring, encryption, application whitelisting, e mail filtering, and information system activity review and detection. The Security Report shall also confirm that Anthem has complied with the provisions of this Assurance related to the employment of a CISO or equivalent officer, maintenance of a C SOC facility, and performance of internal and external penetration tests and information security training. In preparing each Security Report, the Third Party Assessor may rely on the Assessment Report performed for calendar years 2020 and 2021 for In re Anthem Inc. Data Breach Litig. MDL 2617, for security controls and processes addressed by both that Assessment Report and this Assurance. The Security Report shall be provided to the Connecticut Attorney General no later than ten (10) days after its completion. Anthem will also provide the Risk Assessment, as set forth in Paragraph 16, and a SOC 2 Type 2 Assessment, as referenced in Paragraph 31 to the Connecticut Attorney General on an annual basis during the three year term. Confidentiality: The Connecticut Attorney General’s Office shall, to the extent permitted by state law, treat each Security Report as exempt from disclosure as applicable under the relevant public records laws. State Access: The Connecticut Attorney General’s Office may provid copy of each Security Report to any other of the Attorneys General upon request, and each requesting Attorney General shall, to the extent permitted by state law, treat such report as exempt from disclosure as applicable under the relevant public records laws. Upon receipt of each Security Report, Anthem will review and evaluate whether to revise its current policies and procedures based on the findings of the Security Report. Within sixty (60) days of Anthem’s receipt of each Security Report, Anthem shall forward to the Connecticut Attorney General a description of any action they plan to take, or if no action is taken, a detailed description why no action is necessary, in response to each Security Report. E. Information Security Program Audit nthem shall provide to the Connecticut Attorney General an annual SOC 2 Type 2 Assessment for calendar year 2019 and then once a year thereafter for a total period of three (3) years. At a minimum, this Assessment shall include the trust service principles of Security and Confidentiality. IV. PAYMENT TO THE STATES Anthem shall pay a total amount of Thirty Nine Million and Five Hundred Thousand Dollars ($39,500,000.00). Said payment shall be divided and paid by Anthem directly to each of the Attorneys General in an amount to be designated by the Attorneys General and communicated to Anthem by the Connecticut Attorney General, along with instructions for such payments. Payment shall be made in full within thirty (30) business days of the Effective Date and receipt of payment instructions by Anthem from the Connecticut Attorney General, except that where state law requires judicial or other approval of the Assurance, payment shall be made no later than thirty (30) days after notice from the relevant Attorney General that such final approval for the Assurance has been secured. Of the total amount, Anthem shall pay $1,025,452.21 to the State of Texas. Allocation of these funds shall be pursuant to the order entered by the court approving this Assurance. Also out of the total amount, as set forth in paragraph 32 above, Anthem will make payment to the NAGTRI Endowment Fund maintained in trust by the National Association of Attorneys General within thirty (30) days of the Effective Date, in an amount designated and communicated to Anthem by the Connecticut Attorney General. V. RELEASE AND EXPIRATION Release: Following full payment of the amounts due by Anthem under this Assurance, the Attorneys General shall release and discharge Anthem from all civil claims that the Attorneys General could have brought under the Consumer Protection Acts, Personal Information Protection Acts, Security Breach Notification Acts, HIPAA, and any common law claims concerning unfair, deceptive, or fraudulent trade practices based on Anthem’s conduct related to Payment to the State of California pursuant to its settlement with Anthem will be a portion of the total amount paid as set forth in this Paragraph. the Data Breach. Nothing contained in this paragraph shall be construed to limit the ability of the Attorneys General to enforce the obligations that Anthem, its officers, subsidiaries, affiliates, agents, representatives, employees, successors, and assigns, have under this Assurance. Further, nothing in the Assurance shall be construed to create, waive, or limit any private right of action. Notwithstanding any term of this Assurance, any and all of the following forms of liability are specifically reserved and excluded from the release in Paragraph 35 as to any entity or person, including Anthem: Any criminal liability that any person or entity, including Anthem, has or may have to the States. Any civil or administrative liability that any person or entity, including Anthem, has or may have to the States under any statute, regulation, or rule giving rise to any and all of the following claims: State or federal antitrust violations; State or federal securities violations; or iii. State or federal tax claims. Expiration: The obligations and other provisions of this Assurance set forth in Paragraphs 4(b), 6 13, 15, 17 19, and 21 25 shall expire at the conclusion of the five (5) year period after the Effective Date of this Assurance. The obligations and other provisions of this Assurance set forth in Paragraphs 14, 16, 20(a) (c), 47, and 48 shall expire at the conclusion of the seven (7) year period after the Effective Date of the Assurance, unless they have expired at an earlier date pursuant to their specific terms. Provided, however, that nothing in this Paragraph shall be construed as excusing or exempting Anthem from complying with any state or federal law, rule, or regulation, nor shall any of the provisions of this Assurance be deemed to authorize or require Anthem to engage in any acts or practices prohibited by any law, rule, or regulation. VI.GENERAL PROVISIONS Meet and Confer: If any Attorney General determines that Anthem has failed to comply with any of the terms of this Assurance, and if in the Attorney General’s sole discretion the failure to comply does not threaten the health or safety of the Attorney General’s State and/or does not create an emergency requiring immediate action, the Attorney General will notify Anthem in writing of such failure to comply and Anthem shall have thirty (30) days from receipt of such written notice to provide a good faith response to the Attorney General’s determination. The response shall include: (A) a statement explaining why Anthem believes it is in full compliance with this Assurance; or (B) a detailed explanation of how the alleged violation(s) occurred, and either (i) a statement regarding whether the alleged violation(s) has been addressed and how, or (ii) a statement regarding whether the alleged violation cannot be reasonably addressed within