Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Aug. 20 — Eye care retailer Visionworks Inc. has agreed to pay the state of Maryland $100,000 and improve its security practices following two incidents in which it allegedly misplaced computer servers containing consumers' personal information, the Maryland Office of the Attorney General announced Aug. 19.
The no-fault settlement resolves the office's investigation into two 2014 data breaches at Visionworks stores that affected more than 72,000 Maryland residents, the office said in a statement.
“Devices that contain personal information must be properly secured and discarded,” Maryland Attorney General Brian E. Frosh (D) said in the statement. “Otherwise, the door is open for data to fall into the wrong hands.”
“This case should put businesses on notice that they need to be vigilant on behalf of their customers,” Frosh added.
According to the settlement, Visionworks had determined that no personal information, including health information, was compromised. It notified all affected customers and offered them one year of free credit monitoring.
While upgrading to fully encrypted servers at its stores in Annapolis, Md., and Jacksonville, Fla., Visionworks didn't adequately secure consumers' personal information, according to the Office of the Attorney General.
The company left the old servers—which contained customer names, addresses, dates of birth, purchasing histories and health insurance information—unsecured in the two stores, the office said. The old servers also contained three days of encrypted credit card data, it said.
Both servers were misplaced by accident and were likely taken to landfills, the office said.
According to the settlement, Visionworks had both expressly and implicitly represented to consumers that it would protect their personal information, including their health information, in accordance with the Health Insurance Portability and Accountability Act and the Maryland Personal Information Protection Act.
By failing to secure the personal information and securely dispose of the information, Visionworks “committed unfair and deceptive trade practices” violating the Maryland Consumer Protection Act, the office said in the settlement.
Regarding the server at the Maryland store, Visionworks said in a statement provided to Bloomberg BNA Aug. 20 that “there is no reason to believe that any of the information residing on this server has been accessed or used inappropriately nor have we received any reports of misuse.” The decommissioned server is now in a local landfill, the company said.
In addition to agreeing to pay $100,000 to the state of Maryland, Visionworks agreed to provide, for a period of two years, one year of credit monitoring and identity theft insurance to any patient who contacts it or the Office of the Attorney General regarding the potential disclosure of their personal information.
• not misrepresent the extent to which it protects personal information;
• maintain and dispose of personal information in accordance with HIPAA and the Personal Information Protection Act;
• not dispose of records containing personal information unless it takes “reasonable steps” to protect against unauthorized access;
• use encryption technology to safeguard personal information;
• store decommissioned servers containing personal information in a secure manner;
• not store decommissioned servers containing personal information in its stores “for longer than reasonably required; and
• promptly and securely delete personal information when decommissioning servers.
To contact the reporter on this story: Katie W. Johnson in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Full text of the assurance of discontinuance is available at http://op.bna.com/pl.nsf/r?Open=kjon-9zkp6n.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)