View more from News & Articles or Primerus Weekly

On August 5, NY online retailer EZcontactsUSA.com (EZContacts) entered into a settlement with the NY attorney general after the Brooklyn-based online contacts and eyewear e-tailer failed to notify customers of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other cardholder data. Under the settlement, EZContacts agreed to pay $100,000 and to improve its data security practices.

The breach occurred in August 2014 when a third party gained access to EZContacts’s website. The company was unaware of the breach until its merchant bank notified it nearly a year later that fraudulent charges were appearing on customer credit accounts. EZContacts hired a forensic investigation firm to conduct an investigation. The forensics firm found malware and removed it from EZContacts’ website.

EZContacts never informed its customers of the breach. This failure to notify was in violation of NY’s Information Security Breach and Notification Act, N.Y. Gen. Bus. Law Section 899-aa, which requires notice be provided to individuals affected by the breach and various government agencies, including the attorney general’s office, in the most expedient time possible and without unreasonable delay.

The attorney general also found that the retailer violated New York Executive Law § 63(12) and GBL §§ 349 and 350 by misrepresenting the safety and security of its website. The retailer had advertised its website as “100% safe and secure” and “utilizing the latest security technology available.” Notably, the attorney general found that EZContacts’ website was not “100% safe and secure,” as the company did not: (i) maintain a written security policy addressing information security problems; (ii) deploy effective web server and host based firewall configurations designed to prevent unauthorized access and exploitation of commonly known vulnerable outgoing computer network port(s); (iii) install anti-virus and anti-malware software on any computer systems; (iv) monitor and/or review the site’s performance and security configuration or otherwise conduct vulnerability and penetration testing; or (v) maintain firewall logs, lack of which prevented investigators from determining the frequency of attacker visits and related information.

In addition to paying the monetary penalty, EZContacts agreed to remediate security vulnerabilities and train its employees with the most up-to-date data security practices. In addition to the $100,000 penalty, the settlement requires EZContacts to conduct thorough investigations of any future data security breaches, provide prompt notice of data security breaches to affected NY residents and state law enforcement agencies, maintain reasonable security policies and procedures designed to protect consumers’ personal information, remediate the many security vulnerabilities found on its website, and provide security training to its employees.

Key Takeaway. Companies that experience a data breach in which personally identifiable information is compromised must be sure to comply with all applicable state data breach notification laws. A company’s cybersecurity incident response plan should incorporate these notification requirements to ensure that the company provides these notices in a timely manner following a data breach. The settlement also highlights the importance of maintaining written security policies and procedures.

Further, companies should examine the statements they make to the public regarding their cybersecurity practices (including through their websites) to confirm that those statements are factually accurate and, if they are not, take steps to reconcile the statements with actual practices. Federal and state agencies, like the FTC and state attorneys general, have increased their scrutiny of companies’ privacy and cybersecurity representations. See, e.g., “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices,” available at http://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/. Regulators will also scrutinize companies’ actual cybersecurity practices. The FTC has published advice through written guidance and enforcement actions to guide companies in this regard.

Please contact Khizar A. Sheikh, Esq. (ksheikh@lawfirm.ms or 973-243-7980) for more information.