March 23, 2023

Volume XIII, Number 82


March 22, 2023

Subscribe to Latest Legal News and Analysis

March 21, 2023

Subscribe to Latest Legal News and Analysis

March 20, 2023

Subscribe to Latest Legal News and Analysis

Graduation Goods Settlement: A Good Reminder of AGs’ Data Security Priorities

The New York and Pennsylvania AGs settlement with Herff Jones from late last year provides guidance to businesses about expected security measures as we enter into 2023. The case arose after Herff Jones, producer and seller of graduation goods, suffered a breach resulting in the theft and sale of customer payment card information.

The AGs alleged the breach of consumers’ payment card information resulted from the company’s failure to use reasonable data security measures. According to the AGs, the company also did not comply with the Payment Card Industry Data Security Standards, a contractual obligation placed by credit card companies on those entities who accept credit card payments. 

Under the settlement, Herff Jones has agreed not only to pay $100,000 to each AG but also to implement a comprehensive written information security program within 180 days from the date of the settlement. The security procedures agreed upon illustrate the expectations these AGs -and likely others- have of companies’ security programs. Namely, Herff Jones has agreed to:

  • Implement and perform annual information security risk assessments that conform to standards issued by information security organizations such as NIST, ISO 27005, and CIS RAM.

  • Implement certain minimum reasonable information security safeguards designed to safeguard and protect personal information. These include installing only approved software and using software patch management program with automated, standardized patch management distribution tools to deploy, verify, and track patches. Also included are a penetration-testing program designed to identify, assess, and remediate security vulnerabilities and segmented card data environment from other areas of the company’s IT infrastructure.

  • Reasonable measures to detect and respond to security incidents, such as log correlation and alerting, file and data integrity monitoring, intrusion detection and prevention tools, and a documented incident response plan.

  • Access controls, such as multi-factor authentication, one-time passcodes, location-specific requirements, and other access enhancements.

  • Designate a qualified individual to being charge of program oversight who will, among other things, advise senior leadership on risks and remediation strategies.

  • Annually conduct cybersecurity awareness training for employees with key responsibilities for information security.

  • Comply with the PCI data security standards.

As part of the settlement, within one year of the date of the settlement agreement and then biennially for 5 years thereafter, the company is required to have a qualified and independent third-party evaluate and test the effectiveness of their information security program.

Putting It into Practice: Portions of the expectations set out by these two AGs mirror those in other settlements in 2022, including by the FTC and the NYDFS. These include comprehensive risk assessments and security programs, certain minimum technical and administrative safeguards, and qualified personnel designated to handle information security.

Kathryn Smith also contributed to this article.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XIII, Number 32

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....