On September 15, 2020, the New York Attorney General (NYAG) reached a Consent and Stipulation Agreement (the “Agreement”) with Dunkin’ Brand’s Inc. a year after filing a lawsuit over the company’s response to cyberattacks in 2015 and 2018. The Agreement resolves the September 2019 lawsuit, filed in New York state court, which alleged violations of New York’s data breach notification statute and consumer protection laws.
The case arose from two cyberattacks, specifically “brute force” and “credential stuffing” attacks on Dunkin’ customer store value cards. These type of online attacks involve hackers making millions of automated attempts to access customer accounts by using credentials stolen from other websites.
The NYAG alleged the attacks affected over 300,000 customers and that Dunkin’ failed to notify customers, reset passwords, conduct a reasonable investigation and failed to implement safeguards to limit future credential stuffing and brute force attacks. Dunkin’ maintained it did conduct an investigation, appropriately notified customers and state authorities and voluntarily implemented numerous safeguards to protect customer information. In responding to the allegations, Dunkin’ stated it immediately conducted a throughout investigation after the 2015 attack and the investigation showed that no customer account was wrongfully accessed. A spokesperson for the company noted its security vendor notified Dunkin’ of the 2018 attack and was successful in stopping most of the attempts.
The company maintained it cooperated with the NYAG’s investigation and was surprised by the lawsuit into the incidents which it said potentially impacted less than one percent of its loyalty member customers and never resulted in hackers obtaining access to credit card information. While asserting the case was without merit and without admitting any wrongdoing, Dunkin’ agreed to do the following in the Agreement with the NYAG:
- Pay $650,000 in penalties and costs to the state of New York.
- Maintain a comprehensive information security program that includes at minimum reasonable technological, administrative and physical safeguards.
- Conduct a reasonable investigation into suspected brute force attacks, credential stuffing attacks or attacks that compromise the security, confidentiality or integrity of customer personal information. Future investigations must:
- Determine whether the event is ongoing,
- Determine the cause and scope of the event.
- Determine customer accounts affected, categories of customer personal information possibly accessed.
- Document investigative steps and maintain this documentation for at least five years.
- Notify customers whose Customer Private Information was acquired in a manner required by breach notification laws.
- Issue refunds for unauthorized use of stored value cards.
- Reset the passwords for customers impacted by the cyber-attacks.
Notably, the settlement also provides form letter notices in the appendices of the Agreements, setting out the precise form of notice to be sent to Dunkin’ customers pursuant to the settlement. Similar to the NYAG settlement earlier this year with Zoom, the Agreement does not mention the SHIELD Act. The lawsuit was filed before the law took effect in March 2020, and the SHIELD Act amends the state’s data breach notification requirements. However, both agreements include requirements reflected in the language of the law. For example, both companies agreed to “maintain a comprehensive information security program” that has minimum technical, physical and administrative safeguards, all items laid out in the “reasonable security requirement” of the SHIELD Act.
The NYAG has reached two consent agreements this year with major companies over data security issues, indicating the office fully intends to closely scrutinize companies’ responses to data breaches. Companies doing business in New York should pay close attention to these developments, become familiar with the SHIELD Act and evaluate company security programs for compliance.