AG James Recovers $1.9 Million in Fines From Online Retailer For Security Breach

Lori Kalani, Bernard Nash
Cozen O'Connor
Contact
LinkedIn
Facebook
X
Send
Embed

Cozen O'Connor

  • New York AG Letitia James secured a $1.9 million settlement with online fashion retailer Zoetop Business Company, Ltd. – which owns and operates popular e-commerce brands SHEIN and ROMWE – and SHEIN Distribution Corporation (collectively “SHEIN”) to resolve allegations that the companies violated New York consumer protection laws by mishandling customer data and misrepresenting the scope of a 2018 data breach that compromised the payment card information and personal data of millions of consumers worldwide, including 800,000 New York residents.
  • The state alleged in the assurance of discontinuance that attackers were able to access 39 million SHEIN customer accounts and likely exfiltrated customer payment card information and personal data, including customer names, addresses, emails, and hashed account passwords. The AG further alleged that, following the incident, SHEIN failed to promptly notify its customers about the data breach and force a password reset for all account holders.  SHEIN also allegedly misrepresented the scope of the incident in its press release and online FAQ page and declined to fully cooperate with a PCI-qualified forensic investigator, which, according to the state, in its limited review determined that the company failed to comply with PCI-DSS requirements to which companies that collect credit card payment information are expected to adhere.
  • Under the terms of the settlement, SHEIN must pay $1.9 million in penalties and costs and maintain a comprehensive information security program that documents specific security measures and controls. Such controls include, among other things, conducting annual risk assessments, selecting and engaging appropriate service providers, implementing password management policies and procedures, establishing a logging and monitoring system, and conducting regular vulnerability scans.  In addition, the company must appoint a qualified employee to oversee the information security program and offer identity protection services to customers at no charge.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cozen O'Connor | Attorney Advertising

Written by:

Cozen O'Connor
Cozen O'Connor
Contact
more
less

Cozen O'Connor on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide