On September 15, 2020, the New York Attorney General (NYAG) reached a Consent and Stipulation Agreement (the “Agreement”) with Dunkin’ Brand’s Inc. a year after filing a lawsuit over the company’s response to cyberattacks in 2015 and 2018. The Agreement resolves the September 2019 lawsuit, filed in New York state court, which alleged violations of New York’s data breach notification statute and consumer protection laws.
The case arose from two cyberattacks, specifically “brute force” and “credential stuffing” attacks on Dunkin’ customer store value cards. These type of online attacks involve hackers making millions of automated attempts to access customer accounts by using credentials stolen from other websites.
The NYAG alleged the attacks affected over 300,000 customers and that Dunkin’ failed to notify customers, reset passwords, conduct a reasonable investigation and failed to implement safeguards to limit future credential stuffing and brute force attacks. Dunkin’ maintained it did conduct an investigation, appropriately notified customers and state authorities and voluntarily implemented numerous safeguards to protect customer information. In responding to the allegations, Dunkin’ stated it immediately conducted a throughout investigation after the 2015 attack and the investigation showed that no customer account was wrongfully accessed. A spokesperson for the company noted its security vendor notified Dunkin’ of the 2018 attack and was successful in stopping most of the attempts.
The company maintained it cooperated with the NYAG’s investigation and was surprised by the lawsuit into the incidents which it said potentially impacted less than one percent of its loyalty member customers and never resulted in hackers obtaining access to credit card information. While asserting the case was without merit and without admitting any wrongdoing, Dunkin’ agreed to do the following in the Agreement with the NYAG:
Notably, the settlement also provides form letter notices in the appendices of the Agreements, setting out the precise form of notice to be sent to Dunkin’ customers pursuant to the settlement. Similar to the NYAG settlement earlier this year with Zoom, the Agreement does not mention the SHIELD Act. The lawsuit was filed before the law took effect in March 2020, and the SHIELD Act amends the state’s data breach notification requirements. However, both agreements include requirements reflected in the language of the law. For example, both companies agreed to “maintain a comprehensive information security program” that has minimum technical, physical and administrative safeguards, all items laid out in the “reasonable security requirement” of the SHIELD Act.
The NYAG has reached two consent agreements this year with major companies over data security issues, indicating the office fully intends to closely scrutinize companies’ responses to data breaches. Companies doing business in New York should pay close attention to these developments, become familiar with the SHIELD Act and evaluate company security programs for compliance.