Maryland AG settles with Visionworks over security practices

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

Using the Maryland Consumer Protection Act, Maryland Attorney General Brian Frosh has announced that eye care retailer Visionworks, Inc. has agreed to pay the state of Maryland $100,000 and enhance its security measures following an investigation into two security incidents that occurred in 2014. When it was upgrading its Annapolis, MD and Jacksonville, FL stores to fully encrypted servers, Visionworks allegedly left the old servers, containing customers’ names, addresses, dates of birth, purchasing history, health insurance information and three days’ worth of encrypted credit card data unsecured as they were “misplaced” by accident. They believe the servers were taken to landfills.

Frosh stated that Visionworks expressly and implicitly represented to consumers that it would protect their personal information, including their health information, which was required by HIPAA and the Maryland Personal Information Protection Act. When it failed to secure the servers and properly dispose of them, the AG alleged that Visionworks “committed unfair and deceptive trade practices” which violated the Maryland Consumer Protection Act.

In addition to the $100,000 penalty, Visionworks has also agreed to provide credit monitoring and identity theft insurance to any consumer who contacts it or the AG’s office. It further agreed to enhance its security practices with respect to storage and disposal of personal information, use encryption technology to safeguard personal information, and “not misrepresent the extent to which it protects personal information.”

Although we are used to seeing cases and settlements over security practices with the FTC for unfair and deceptive practices following a data breach, (and the Wyndham case) has certainly paved the way for more FTC enforcement actions and settlements), seeing settlements with state AGs is less common. However, we anticipate seeing more AGs to use the same theory to launch investigations and push for settlements using broad state consumer protection powers. The message to businesses is clear: enhance security measures to avoid enforcement actions at both the federal and state level.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide