On September 23, 2016, New York Attorney General Eric T. Schneiderman announced a settlement with Trump International Hotels Management LLC, d/b/a Trump Hotel Collection (“THC”), imposing $50,000 in penalties and ongoing obligations to maintain certain security policies and procedures. According to the New York Attorney General, THC (i) failed to timely notify its customers of the first security incident, and (ii) failed to timely implement THC’s forensic investigator’s remediation recommendation before the second security incident. The two incidents resulted in the exposure of over 70,000 credit card numbers.
The New York Attorney General’s announcement stated that, in late May 2015, THC learned of “common point of purchase” reports indicating that it might be the source of a credit card compromise. Common point of purchase reports are a commonly used method by which banks analyze fraudulent credit card transactions and determine the last merchant where legitimate transactions took place, suggesting the source of a compromise. According to the New York Attorney General, within a few weeks, a preliminary forensic investigation confirmed the existence of malware at multiple THC locations. THC notified affected customers approximately four months later, in late September 2015, which the New York Attorney General claimed violated New York General Business Law § 899-aa by failing to provide notice to customers “in the most expedient time possible and without unreasonable delay.” New York General Business Law § 899-aa tasks the New York Attorney General with enforcing any violations of the statute, including through monetary and injunctive penalties.
In March 2016, according to the New York Attorney General, THC received additional common point of purchase reports about a potential second incident, which was subsequently confirmed by a forensic investigation. THC notified affected customers approximately two months later. The announcement does not indicate whether the office viewed the second notification as untimely under General Business Law § 899-aa, but the New York Attorney General took issue with THC’s alleged failure to timely implement two-factor authentication for remote access to THC’s network as recommended by the forensic investigation report from the first breach. The New York Attorney General claimed that the remediation recommendation might have prevented the March incident, but THC’s April implementation came too late.
In addition to the $50,000 penalty imposed on THC, the New York Attorney General stated that THC has agreed to maintain reasonable security policies and procedures designed to protect personal information, for an unannounced period of time, including:
-
Designation of an employee or employees to coordinate and supervise THC’s program designed to protect the privacy and security of personal information;
-
Annual employee training to at a minimum inform employees who are responsible for handling personal information about data security, the importance of consumer privacy and their duty to help maintain its integrity;
-
Responding to events involving unauthorized acquisition, access, use or disclosure of personal information including training all staff who are responsible for inputting, entering, maintaining, storing or transferring personal information on data breach notification law;
-
Identifying material risks to the security and confidentiality of personal information that are reasonably likely to result in the unauthorized disclosure of such information, including through the regular review of security industry news sources for newly identified security vulnerabilities;
-
Designing and implementing reasonable safeguards to control the risks identified through risk assessment, including use of two-factor authentication for remote access to computer systems;
-
Regular testing of the effectiveness of the safeguard’s key controls, systems, and procedures, including through reasonable and appropriate software security testing; and
-
Developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the agreement and requiring service providers by contract to implement and maintain appropriate safeguards.
These injunctive provisions are in line with what are commonly imposed from other data security and privacy regulators, including those commonly imposed by the Federal Trade Commission.
The settlement with THC reflects the increasing role state attorneys general play in investigating and enforcing data security and privacy laws. In addition, many data breach notification statutes are worded similar to New York’s, and the THC settlement provides rough guidance on the inherently subjective determination of what constitutes “unreasonable delay” in providing affected individuals notification of a data security incident.
Companies that handle customers’ personal information should ensure that they have appropriate data security and privacy governance and compliance programs, and that they respond to data security incidents consistently with incident response best practices.