On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information.
According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an attacker infiltrated the e-retailer’s website. Nearly one year later, the e-retailer’s merchant bank notified it that fraudulent charges were appearing on customers’ credit card accounts. The e-retailer then hired a cybersecurity firm to conduct a forensic investigation, and the malware was discovered and removed from the e-retailer’s website.
The e-retailer, however, failed to take the next step, which should have been notification to affected customers. According to the attorney general’s office, the e-retailer never provided notice to its customers or law enforcement about the breach, in violation of New York General Business Law (GBL) § 899-aa, which requires that notice be provided to affected individuals and various government agencies, in the most expedient time possible and without unreasonable delay.
The attorney general’s investigation also found that the e-retailer violated New York Executive Law § 63(12) and GBL §§ 349 and 350 by misrepresenting the safety and security of its website. (The e-retailer advertised its website as “100% safe and secure” and “utilizing the latest security technology available.”) The e-retailer, however, did not (1) maintain a written security policy addressing information security problems; (2) deploy effective web server and host based firewall configurations designed to prevent unauthorized access and exploitation of commonly known vulnerable outgoing computer network port(s); (3) install anti-virus and anti-malware software on any computer systems; (4) monitor and/or review the site’s performance and security configuration or otherwise conduct vulnerability and penetration testing; or (5) maintain firewall logs, lack of which prevented investigators from determining the frequency of attacker visits and related information. In addition to paying the monetary penalty, the e-retailer agreed to remediate the many security vulnerabilities and train its employees with the most up-to-date data security practices.
Besides the obvious lesson of complying with state data breach notification laws where applicable, the other important lesson is that companies must carefully evaluate how they market the privacy and security of their e-commerce platforms. Federal and state agencies, like the Federal Trade Commission (FTC) and state attorneys general, have increased their scrutiny of companies’ privacy and cybersecurity representations. Regulators will also scrutinize companies’ actual cybersecurity practices. The FTC has offered some practical advice to guide companies in this regard, some of which we have previously discussed here and here. Bottom line: Companies should prioritize cybersecurity and treat it as an investment rather than a cost.