Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

BakerHostetler
Contact

On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information.

According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an attacker infiltrated the e-retailer’s website. Nearly one year later, the e-retailer’s merchant bank notified it that fraudulent charges were appearing on customers’ credit card accounts. The e-retailer then hired a cybersecurity firm to conduct a forensic investigation, and the malware was discovered and removed from the e-retailer’s website.

The e-retailer, however, failed to take the next step, which should have been notification to affected customers. According to the attorney general’s office, the e-retailer never provided notice to its customers or law enforcement about the breach, in violation of New York General Business Law (GBL) § 899-aa, which requires that notice be provided to affected individuals and various government agencies, in the most expedient time possible and without unreasonable delay.

The attorney general’s investigation also found that the e-retailer violated New York Executive Law § 63(12) and GBL §§ 349 and 350 by misrepresenting the safety and security of its website. (The e-retailer advertised its website as “100% safe and secure” and “utilizing the latest security technology available.”) The e-retailer, however, did not (1) maintain a written security policy addressing information security problems; (2) deploy effective web server and host based firewall configurations designed to prevent unauthorized access and exploitation of commonly known vulnerable outgoing computer network port(s); (3) install anti-virus and anti-malware software on any computer systems; (4) monitor and/or review the site’s performance and security configuration or otherwise conduct vulnerability and penetration testing; or (5) maintain firewall logs, lack of which prevented investigators from determining the frequency of attacker visits and related information. In addition to paying the monetary penalty, the e-retailer agreed to remediate the many security vulnerabilities and train its employees with the most up-to-date data security practices.

Besides the obvious lesson of complying with state data breach notification laws where applicable, the other important lesson is that companies must carefully evaluate how they market the privacy and security of their e-commerce platforms. Federal and state agencies, like the Federal Trade Commission (FTC) and state attorneys general, have increased their scrutiny of companies’ privacy and cybersecurity representations. Regulators will also scrutinize companies’ actual cybersecurity practices. The FTC has offered some practical advice to guide companies in this regard, some of which we have previously discussed here and here. Bottom line: Companies should prioritize cybersecurity and treat it as an investment rather than a cost.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.