Retailer settles multistate data breach investigation for $1.5 million

State Issues Privacy/Cyber Risk & Data Security State Attorney General Credit Cards Data Breach Settlement

On January 8, a national retailer reached a $1.5 million multistate settlement with 43 states and the District of Columbia to resolve an investigation following a 2013 data breach of customer payment card information. According to the Illinois Attorney General’s announcement, the retailer will implement provisions to prevent future breaches, such as (i) complying with Payment Card Industry Data Security Standard requirements; (ii) maintaining a system to collect and monitor network activity; (iii) updating software that maintains and safeguards personal information; and (iv) devaluing payment card information through the use of encryption and tokenization technology to obfuscate payment card data. The retailer must also retain a third-party professional responsible for conducting an information security assessment and report, as well as outlining corrective measures.