[co-author: Stephanie Kozol]*

Rutters, a prominent grocery chain in Pennsylvania with 80 locations statewide, settled a data breach investigation with Attorney General (AG) Michelle Henry’s office by agreeing to pay $1 million and to implement certain injunctive relief. Henry announced the settlement on Wednesday, October 11, following a months-long data breach lasting from 2018 to 2019 that potentially exposed the payment card data of 1.3 million Pennsylvania consumers.

According to Henry’s press release, the attack occurred over nine months and involved all or nearly all of the grocer’s locations. Rutters first learned of the security incident in May 2019, but after conducting an in-house investigation, it concluded that customer payment card information was not stolen. Approximately six months after Rutters concluded its investigation, Mastercard flagged unusual payment card activity associated with customers who shopped at Rutters and required the company to investigate further. An investigation by an independent party found that the 2018-2019 security incident had resulted in the theft of at least 1.3 million different payment cards from Rutters’ network.

Henry cautioned that this breach “could have been catastrophic for countless consumers whose personal information was exposed due to flimsy safeguards.” To protect consumers from the prospect of future harm, the settlement with Rutters will involve “assurance that future risk will be minimized.” Specifically, and in addition to the $1 million payment, Rutters is required to conduct and document a risk assessment and engage independent auditors to ensure compliance and implementation of specific security improvements, which include: the maintenance of a robust information security program; appropriate password management; logging and log-monitoring policies and procedures; routine software patching; and the disabling of inactive accounts after some time.

Why It Matters

The Rutters settlement reflects a growing trend of state AGs engaging in local-level enforcement following a data breach — which is attributable to proficiencies and expertise developed in state AG offices over the past decade. While a data breach can be devastating for a company by itself, the potential for regulatory enforcement can be especially painful.

The investigation into Rutters is a wake-up call to all businesses, whether they have a local or national footprint. Self-help and a healthy dose of optimism rarely work in the breached entity’s favor. Once a company discovers a breach that potentially could have exposed consumer information, it is vitally important that the company (regardless of size) engage experienced outside counsel and forensic firm to ensure the company conducts a thorough investigation protected under privilege, and then satisfies any obligations to consumers, as applicable[1].

[1] Rutters was also sued in a class action lawsuit filed in the Middle District of Pennsylvania in connection with the data breach. In Re Rutter’s Inc. Data Sec. Breach Lit., No. 1:20-cv-00382-CCC (M.D. Penn., filed March 4, 2020).

*Senior Government Relations Manager