[co-author: Kathryn Smith*]

The New York and Pennsylvania AGs' settlement with Herff Jones from late last year provides guidance to businesses about expected security measures as we enter into 2023. The case arose after Herff Jones, producer and seller of graduation goods, suffered a breach resulting in the theft and sale of customer payment card information.

The AGs alleged the breach of consumers’ payment card information resulted from the company’s failure to use reasonable data security measures. According to the AGs, the company also did not comply with the Payment Card Industry Data Security Standards, a contractual obligation placed by credit card companies on those entities who accept credit card payments.

Under the settlement, Herff Jones has agreed not only to pay $100,000 to each AG but also to implement a comprehensive written information security program within 180 days from the date of the settlement. The security procedures agreed upon illustrate the expectations these AGs -and likely others- have of companies’ security programs. Namely, Herff Jones has agreed to:

• Implement and perform annual information security risk assessments that conform to standards issued by information security organizations such as NIST, ISO 27005, and CIS RAM.
• Implement certain minimum reasonable information security safeguards designed to safeguard and protect personal information. These include installing only approved software and using software patch management program with automated, standardized patch management distribution tools to deploy, verify, and track patches. Also included are a penetration-testing program designed to identify, assess, and remediate security vulnerabilities and segmented card data environment from other areas of the company’s IT infrastructure.
• Reasonable measures to detect and respond to security incidents, such as log correlation and alerting, file and data integrity monitoring, intrusion detection and prevention tools, and a documented incident response plan.
• Access controls, such as multi-factor authentication, one-time passcodes, location-specific requirements, and other access enhancements.
• Designate a qualified individual to being charge of program oversight who will, among other things, advise senior leadership on risks and remediation strategies.
• Annually conduct cybersecurity awareness training for employees with key responsibilities for information security.
• Comply with the PCI data security standards.

As part of the settlement, within one year of the date of the settlement agreement and then biennially for 5 years thereafter, the company is required to have a qualified and independent third-party evaluate and test the effectiveness of their information security program.

*Kathryn Smith is a fellow in the firm’s Chicago office.

Putting It into Practice: Portions of the expectations set out by these two AGs mirror those in other settlements in 2022, including by the FTC and the NYDFS. These include comprehensive risk assessments and security programs, certain minimum technical and administrative safeguards, and qualified personnel designated to handle information security.