July 27, 2021

Volume XI, Number 208

Advertisement

July 27, 2021

Subscribe to Latest Legal News and Analysis

July 26, 2021

Subscribe to Latest Legal News and Analysis

New York AG Settles with Filters Fast After Data Breach

On May 18, 2021, New York Attorney General (“AG”) Letitia James announced a settlement agreement with Filters Fast LLC (“Filters Fast”) over a data breach that compromised personal information of approximately 324,000 consumers nationwide, including over 16,500 New York state residents. The breach affected purchases made on Filters Fast website for almost a year – from July 16, 2019 to July 10, 2020.

Filters Fast, an online air and water filter retailer, was notified by a credit card payment system management company on February 25, 2020 that its website had been flagged as a common point of purchase (“CPP”) for unauthorized credit card purchases. The CPP notification came seven months after an attacker exploited a known vulnerability in a plugin on the Filters Fast website that allowed the attacker to collect the names, billing addresses, expiration dates, validation codes and primary account numbers of customers who purchased products on the website via credit card.

After the CPP notification, Filters Fast conducted an internal investigation but found insufficient evidence of a breach. At the request of a payment card brand, Filters Fast eventually engaged an outside forensic investigator that initially also did not find evidence of a breach, but in late July 2020, discovered the plugin vulnerability. A software patch to fix the vulnerability had been issued three years prior to Filters Fast being attacked, but the company did not implement the patch until July 10, 2020.

Under the terms of the settlement, Filters Fast is required to pay the state of New York $200,000 ($100,000 of which is suspended on the condition that Filters Fast did not “materially misstate[]” its financial position). In addition, Filters Fast will be required to

  1. execute and enforce systems and security measures to prevent future data breaches;

  2. create a security program to ensure regular updates and reports to Filters Fast’s CEO;

  3. execute an incident response and data breach notification plan to identify, contain, eradicate and recover from breaches; and

  4. ensure that third-party security assessments take place over the next five years

Attorney General James stated that the settlement exemplifies the New York AG’s dedication to protect online consumers and to “use every available tool to hold companies accountable when they fail to safeguard personal information.”

Read the settlement.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 152
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement