State AGs reach $2 million settlement to resolve data breach
On December 18, state attorneys general from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon announced a $2 million settlement with an online retailer concerning allegations that the retailer failed to promptly and adequately respond to a 2019 data breach that compromised more than 22 million consumers’ personal information. According to the Assurance of Voluntary Compliance, the retailer failed to detect a data breach that allowed an unidentified attacker to obtain information including Social Security numbers and tax identification numbers. After learning about the vulnerability from a third-party security researcher, the retailer issued a patch to remediate the vulnerability and required users to reset passwords on their customer accounts. However, the AGs claim that the retailer took nearly six months to conduct a full investigation into whether its user database had been breached, and, after determining that users’ personal information was for sale on the dark web, later began notifying affected users of the breach.
In addition to paying $2 million to the AGs, which is partially suspended due to the retailer’s financial condition, the retailer—who has not admitted to the alleged violations—has agreed to (i) develop and implement a comprehensive information security program; (ii) design an incident response and data breach notification plan to encompass preparation, detection and analysis, containment, eradication, and recovery; (iii) ensure personal information safeguards and controls are in place, such as encryption, segmentation, penetration testing, risk assessment, password management, logging and monitoring, personal information deletion, and account closure notification; and (iv) ensure third-party security assessments occur biennially for the next five years.