U.S. Retailer Settles States’ Investigation Over 2013 Data Breach, Fined $18.5 Million in Settlement

Privacy/Cyber Risk & Data Security Enforcement State Attorney General

On May 23, a major U.S. retailer reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the retailer’s 2013 data breach, which affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. According to multiple state attorneys general, this represents the largest multistate data breach deal to date. According to the states’ investigation, the November 2013 security breach occurred when cyberattackers accessed the retailer’s customer service database to install malware that was able to capture consumers’ personal information, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs. Under the terms of the Assurance of Voluntary Compliance, the retailer agreed to do the following, including:

• develop, implement, and maintain a comprehensive Information Security Program (Program) and required safeguards;
• employ an executive or officer with information security experience responsible for executing the Program and advising the CEO and Board of Directors of security-related issues;
• develop and implement risk-based policies and procedures for auditing vendor compliance with the Program;
• maintain and support software on its network for data security purposes;
• maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
• segment its cardholder data environment from the rest of its computer network;
• undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication;
• deploy and maintain a file integrity monitoring solution; and
• hire a third-party to conduct a comprehensive security assessment.

The majority of the terms last five years.

States involved issued press releases announcing their portions of the settlement. California Attorney General Xavier Becerra stated that California will be receiving more than $1.4 million from the settlement, the largest share of any state. Illinois, which co-led the investigation with the state of Connecticut, will receive more than $1.2 million from the settlement, according to Attorney General Lisa Madigan, who stated, “Today’s settlement . . . establishes industry standards for companies that process payment cards and maintain secure information about their customers.” Connecticut Attorney General George Jepsen noted that the retailer “deserves credit for its actions in response to this breach, including its cooperation with our investigation and negotiations that led to this settlement. I'm also hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers' information.”