New York’s Attorney General Letitia James recently secured a $1.9 million settlement from online retailer Zoetop Business Company, Ltd. to settle allegations that Zoetop had improperly handled a 2018 data breach and subsequent consumer notification. The scrutiny given to Zoetop provides insights into the NYAG’s expectations around breach investigations and response.
The case arose from Zoetop’s 2018 discovery that user credentials for 39 million account holders had been compromised. According to the AG’s Assurance of Discontinuance, the user passwords were hashed using encryption software that was “known at the time” to be insecure. Upon learning of the compromise, Zoetop engaged a forensic investigator, who determined that not only were user credentials stolen, but also that customer payment information had been compromised at the point of purchase. Following discovery of the data breach, Zoetop made written notification of the breach to its customers and notified the AG at the same time. As has become increasingly common following notification, the AG launched an inquiry into the Zoetop data breach. The AG expressed concern with several of Zoetop’s incident response-related actions. These included:
- Failing to reset the credentials of all of impacted users, and instead only resetting credentials of those users who placed an order and thereby had their payment information compromised;
- Failing to automatically force password resets for users, and instead having users reset their credentials themselves;
- Communicating in the FAQs issued with notification that “impacted individuals” were being contacted, when in reality only those users who had placed an order were notified (and not all users whose credentials were compromised);
- Communicating to impacted individuals that their credit card numbers were not impacted, when its investigation showed the opposite; and
- Failing to give its PCI investigators access to the impacted systems.
As part of the settlement, Zoetop has agreed to pay $1.9 million and to implement a comprehensive information security program that addresses the AG’s stated concerns.
Putting it Into Practice: This settlement is a reminder that regulators are increasing their scrutiny of organizations who suffer a data breach. That scrutiny may include not just whether the company’s security measures were sufficient, but also if it properly investigated the incident and accurately notified consumers about the nature and scope of the breach. As a result, it will be important for companies to ensure their forensic investigations, incident remediation, and communications are thoughtful, comprehensive, and defensible in the context of guidance issued by both regulators and industry organizations.