New York A.G. Announces $100k Settlement Over Data Breach

King & Spalding
Contact

On August 5, New York Attorney General Eric T. Schneiderman announced a settlement with Provision Supply, LLC d/b/a EZcontactsUSA.com, imposing $100,000 in penalties and ongoing obligations to maintain certain security policies and procedures.  According to Attorney General Schneiderman’s announcement, the company failed to notify its customers and law enforcement after a 2014 data breach and advertised its website as “100% safe and secure” while failing to maintain reasonable security standards.

EZcontactsUSA.com offers consumers prescription eyewear, designer sunglasses, and contact lenses.  According to Attorney General Schneiderman’s office, on August 7, 2014, EZcontactsUSA.com was infiltrated by an unknown third party.  The breach was not discovered until June 5, 2015, when fraudulent charges began appearing on customer credit cards.  The company commissioned a forensic analysis, which uncovered malware on EZcontactsUSA.com’s website.  The company removed the malware but did not notify customers or law enforcement agencies of the infiltration.  The breach potentially exposed over 25,000 credit card numbers and other cardholder data.

According to the Attorney General, EZcontactsUSA.com advertised its website as “100% safe and secure” and “utilizing the latest security technology available.”  However, the forensics investigation found that the company did not maintain a written security policy, deploy effective firewall configurations, implement anti-virus or anti-malware software, monitor its website’s performance, or conduct vulnerability and penetration testing.

Attorney General Schneiderman’s office found that EZcontactsUSA.com violated New York General Business Law § 899-aa by failing to provide notice of the security breach to customers or law enforcement agencies.  General Business Law § 899-aa requires companies conducting business in New York to disclose to affected state residents any security breach “in the most expedient time possible and without unreasonable delay.”  The company suffering the breach must also notify the Attorney General’s office, the department of state, and the division of state police.  The statute tasks the Attorney General with enforcing any violations of the statute, including through monetary and injunctive penalties, and does not provide a private right of action for affected residents.  Attorney General Schneiderman’s office also found that EZcontactsUSA.com violated Executive Law § 63(12) and General Business Laws §§ 349 and 350 by misrepresenting the safety and security of its website. 

In addition to the $100,000 penalty imposed on EZcontactsUSA.com, the Attorney General’s press release indicates that the company has agreed to ongoing obligations, for an unannounced period of time, to train employees on the most up-to-date data security practices; maintain reasonable security policies and procedures; remediate the remaining security vulnerabilities contained in its website; conduct thorough and expeditious investigations of any future data security breaches; and provide prompt notice of data security breaches to affected New York residents and to New York law enforcement.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide