June 16, 2021

Volume XI, Number 167

Advertisement

June 15, 2021

Subscribe to Latest Legal News and Analysis

June 14, 2021

Subscribe to Latest Legal News and Analysis

NY Attorney General Announces Settlement After Website Data Breach

In late May, New York Attorney General Letitia James announced a $200,000 settlement agreement with Filters Fast, an online water filtration retailer, stemming from a 2019 data breach compromising the personal information of over 300,000 consumers across the U.S., including nearly 17,000 in New York state.  The settlement also requires the online retailer to strengthen its cybersecurity policies and procedures.

The settlement was the result of an enforcement action brought by the State AG under New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). See our SHIELD Act FAQs here.  The SHIELD Act was enacted in 2019 with the goal of strengthening protection for New York residents against data breaches affecting their private information.   The Act imposes expansive data security obligations and updated the State’s existing data breach notification requirements.

The Filters Fast breach affected the names, billing addresses, and credit card expiration dates and security codes of customers who purchased products on the Company’s website for nearly a year, between July 2019 – July 2020. Filters Fast was first made aware of the breach in February 2020, but after conducting an internal investigation concluded that a breach had not occurred.  After receiving several additional reports of compromised data, however, the Company’s internal investigator concluded in late July of 2020 that a breach had in fact occurred, and the website was patched. On August 14th 2020 – over a year after the breach had initially occurred, and approximately six months after the Company first became aware of it – notification of the breach was sent to affected customers.

“New Yorkers should never have to worry that their personal information will be attacked during a routine online checkout process,” said Attorney General James in her announcement of the settlement. “Online information security has been especially critical during the COVID-19 pandemic, during which New Yorkers have increasingly relied on online retailers, such as Filters Fast, to purchase basic household goods. My office is committed to protecting consumers, which is why we will continue to use every available tool to hold companies accountable when they fail to safeguard personal information.”

In addition to the settlement payment, the AG’s agreement with Fast Filters  requires several improvements to the company’s policies and procedures to help prevent future data security incidents, such as:

  • Creating a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regular reporting to the company’s CEO concerning security risks;

  • Designing an incident response and data breach notification plan that encompasses preparation, detection and analysis, containment, eradication, and recovery;

  • Adopting personal information safeguards and controls — including encryption, segmentation, penetration testing, logging and monitoring, virus protection policy, custom application code change reviews, authentication policy and procedures, management of service providers, and patch management; and

  • Ensuring that third-party security assessments take place over the next five years.

The SHIELD Act is far-reaching: it affects any business that holds private information of a New York resident — regardless of whether the organization does business in New York, and including small businesses. Under the Act, individuals and businesses that collect computerized data, including private information about New York residents, must implement and maintain reasonable administrative, physical and technical safeguards. The Act provides several safeguards which may be implemented to ensure compliance.

Data privacy and security risks continue to emerge with enforcement not far behind. Regardless of their location, organizations should be assessing and reviewing their data breach prevention and response activities, building robust data protection programs, and investing in written information security programs (WISPs).

Jackson Lewis P.C. © 2021National Law Review, Volume XI, Number 159
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer
Principal

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies,...

(973) 538-6890
Damon Silver, Employment Lawyer, Corporate Matters, Jackson Lewis
Associate

Damon W. Silver is an Associate in the New York City, New York, office of Jackson Lewis P.C.

In his Privacy, e-Communication and Data Security practice, Mr. Silver advises clients in various industries on compliance with federal and international privacy laws, including HIPPA, the ADA, GINA, FMLA, the TCPA, FCRA, and the EU-U.S. Privacy Shield. He also provides guidance to organizations on data breach prevention and response. 

In the area of employment litigation, Mr. Silver defends...

212-545-4063
Attorney

Maya Atrakchi is the Knowledge Management (“KM”) Attorney for Jackson Lewis P.C.’s Privacy, e-Communication and Data Security and International Employment Issues Practice Groups, and is based in the New York City, New York, office of Jackson Lewis P.C.

212-545-4000
Advertisement
Advertisement