New York AG Announces Settlement with Dunkin’ Regarding Data Breach Lawsuit

Samuel Hyams, Ronald Raether, Jr.
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

On Tuesday, September 15, New York Attorney General Letitia James announced a settlement with Dunkin’ Brands Inc. regarding a lawsuit in New York state court titled The People of The State of New York et al. v. Dunkin’ Brands Inc., case number 451787/2019. The case was filed in September 2019 by the New York AG’s office, accusing Dunkin’ of failing to take adequate measures to protect customer data from two data breach incidents in 2015 and 2018.

The AG alleged that starting in early 2015, Dunkin’ customers’ online accounts were targeted by hackers who repeatedly attempted to gain access using usernames and passwords stolen through security breaches of unrelated websites and services. According to the AG, Dunkin’ failed to conduct an adequate investigation into the breaches, despite allegedly being put on notice by a third-party developer. The AG also faulted Dunkin’ for allegedly not properly notifying customers of the breaches, and allegedly not freezing affected accounts or changing the passwords on them to prevent further damage. The AG sued Dunkin’ for violating New York’s data breach notification statute, General Business Law § 899-aa, and various NY state consumer protection laws.

The settlement agreement, which still must be approved by Justice Barry R. Ostrager, includes the following requirements of Dunkin’:

  • notify customers impacted by the breaches;
  • reset the passwords for impacted customers;
  • reimburse customers for any fraudulent activity that resulted from the breaches;
  • maintain safeguards to protect against similar incidents in the future;
  • follow incident response procedures when an incident occurs; and
  • pay $650,000 in penalties and costs to the State of New York.

Dunkin’ stressed in a statement regarding the settlement that the breaches never resulted in the hackers gaining access to credit card information. Dunkin’ also noted that it voluntarily implemented the security measures identified in the settlement “long before” the attorney general filed suit.

As businesses and consumers continue to shift toward more online activities, businesses should focus more than ever on maintaining adequate cybersecurity safeguards and incident response procedures. For more information regarding cybersecurity best practices, see Troutman Pepper articles here and here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide