February 4, 2023

Volume XIII, Number 35


February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

February 01, 2023

Subscribe to Latest Legal News and Analysis

Lessons From New York AG Scrutiny of Breach Investigation and Response

New York’s Attorney General Letitia James recently secured a $1.9 million settlement from online retailer Zoetop Business Company, Ltd. to settle allegations that Zoetop had improperly handled a 2018 data breach and subsequent consumer notification. The scrutiny given to Zoetop provides insights into the NYAG’s expectations around breach investigations and response.

The case arose from Zoetop’s 2018 discovery that user credentials for 39 million account holders had been compromised. According to the AG’s Assurance of Discontinuance, the user passwords were hashed using encryption software that was “known at the time” to be insecure. Upon learning of the compromise, Zoetop engaged a forensic investigator, who determined that not only were user credentials stolen, but also that customer payment information had been compromised at the point of purchase. Following discovery of the data breach, Zoetop made written notification of the breach to its customers and notified the AG at the same time. As has become increasingly common following notification, the AG launched an inquiry into the Zoetop data breach. The AG expressed concern with several of Zoetop’s incident response-related actions. These included:

  • Failing to reset the credentials of all of impacted users, and instead only resetting credentials of those users who placed an order and thereby had their payment information compromised;

  • Failing to automatically force password resets for users, and instead having users reset their credentials themselves;

  • Communicating in the FAQs issued with notification that “impacted individuals” were being contacted, when in reality only those users who had placed an order were notified (and not all users whose credentials were compromised);

  • Communicating to impacted individuals that their credit card numbers were not impacted, when its investigation showed the opposite; and

  • Failing to give its PCI investigators access to the impacted systems.

As part of the settlement, Zoetop has agreed to pay $1.9 million and to implement a comprehensive information security program that addresses the AG’s stated concerns.

Putting it Into Practice: This settlement is a reminder that regulators are increasing their scrutiny of organizations who suffer a data breach. That scrutiny may include not just whether the company’s security measures were sufficient, but also if it properly investigated the incident and accurately notified consumers about the nature and scope of the breach. As a result, it will be important for companies to ensure their forensic investigations, incident remediation, and communications are thoughtful, comprehensive, and defensible in the context of guidance issued by both regulators and industry organizations.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 319

About this Author


Charles Glover is an associate in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Charles' practice focuses on breach response, data privacy law, and intellectual property disputes. His representations cover a variety of clients, including national banks, domestic airlines, and entertainment companies.

Charles’ solutions-oriented focus and diverse experience allow him to develop and implement dynamic strategies tailored to meet his clients’ needs. He has helped clients of all sizes and stages...

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....