July 26, 2014

Letter from Attorneys General to LivingSocial Can Serve as Guide for Companies Seeking to Protect Personal Information

On April 26, 2013, online daily deal company LivingSocial reported that personal information of as many as 50 million individuals may have been compromised as a result of a cyberattack. According to the company, "the information accessed includes names, e-mail addresses, date[s] of birth for some users, and encrypted passwords-technically 'hashed' and 'salted' passwords."

On May 1, 2013, Connecticut Attorney General George Jepsen and Maryland Attorney General Douglas Gansler sent a joint letter to LivingSocial's counsel that asked LivingSocial to provide additional information about the incident, as well as the company's data management policies and procedures. The letter is illuminating in that it can be read to suggest the types of data management policies and procedures the state enforcement agencies want organizations to have in place to help mitigate the likelihood or severity of a data breach.

The Attorneys General made the following requests, in pertinent part, about LivingSocial's policies and procedures:

  • Please describe how the various categories of user information LivingSocial collects is stored, including whether it is encrypted and whether it is separated from other data.

  • Please explain in detail the nature of the systems LivingSocial employs to store and protect user passwords.

  • How long is information provided by users stored by LivingSocial and is any of this information automatically deleted after a certain period of time? If so, when?

  • Please describe the means, if any, by which users can delete the information LivingSocial stores about them.

  • Please provide copies of LivingSocial's privacy policies at the time of the breach.

  • Please describe the internal security protections in place, before the intrusion occurred, to protect the information of LivingSocial customers from being accessed without authorization, particularly under circumstances reportedly involved in this incident.

  • Please provide an outline of any plan to prevent the recurrence of any such incident and a timeline for implementing that plan.

Letter from Att'y Gens. Gansler & Jepsen to LivingSocial (May 1, 2013), available here.

Businesses can expect to be asked similar questions by government enforcement agencies and plaintiffs' counsel in the event of a data breach and should therefore take the time to examine current policies and procedures and consider whether they feel comfortable with the way they would have to answer the types of questions posed to LivingSocial, or whether additional steps should be taken to protect personal information.

© 2014 Vedder Price

About the Author

Bruce A. Radke, Vedder Price Law Firm, Litigation Attorney

Mr. Radke joined the Chicago office of Vedder Price in 1998.  He is a shareholder and a member of the firm’s Litigation Practice Area.  Mr. Radke is Chair of the firm’s Records Management and eDiscovery Practice Group.


About the Author

Michael J. Waters, Vedder Price Law Firm, Litigation Attorney

Michael J. Waters is an Associate with Vedder Price and a member of the firm’s Litigation practice area. Mr. Waters has experience representing clients in a broad range of complex business and commercial disputes, including product liability, securities fraud, antitrust and trade regulation and contract disputes.

+1 (312) 609 7726

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.