Zappos, Nine States Reach Settlement Over Breach Affecting 24M Customers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald G. Aplin

Jan. 8 — Inc. and nine states Jan. 7 announced a no-fault assurance of voluntary compliance settlement of enforcement actions related to a hacking breach of the online shoe and clothing retailer revealed in 2012.

Under the agreement, Zappos—a subsidiary of—will pay a total of $106,000 to the attorneys general of Arizona, Connecticut, Florida, Kentucky, Maryland, Massachusetts, North Carolina, Ohio, and Pennsylvania. The distribution of the funds to each of the states will be determined by the attorneys general, and under the terms of the agreement may be used to cover the costs of the enforcement action, fund consumer privacy efforts or any other purpose.

The Las Vegas-based company also agreed to data security improvements, new oversight and reporting requirements and employee training.

Server Hack

On Jan. 15, 2012, Zappos announced that it would notify 24 million customers of a hacking incident of its computer servers in Kentucky, which resulted in the release of customer names; e-mail, billing, and shipping addresses; phone numbers; the last four digits of credit card numbers; and “cryptographically scrambled” passwords.

Within a week, attorneys general from the nine states had opened an enforcement investigation into the hacking breach.

The first of several putative consumer class actions was filed the day after Zappos revealed the breach.

In June 2012, multiple complaints from across the country were consolidated in the U.S. District Court for the District of Nevada. On Nov. 19, 2014, the court stayed the proceedings pending further mediation efforts.

Data Security Obligations

In addition to the payment, Zappos agreed to:

• maintain and comply with its information security policies and procedures;

• provide the attorneys general with its security policy and changes to the policy for the next two years;

• provide the attorneys general with copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard for two years;

• within 180 days, have a third party conduct an audit of its security of personal information;

• provide the attorneys general with the independent audit report and if the report identifies problems, provide a timetable for implementing a corrective action plan;

• provide a copy of the assurance of voluntary compliance to all employees engaged in information security for the company and to all employees at the level of vice president or above; and

• provide annual information security training to relevant employees.

Breach Threat

“When you entrust your personal information to a business, you expect that business to keep it safe,” North Carolina Attorney General Roy Cooper (D), whose office led the enforcement effort, said in a Jan. 7 statement.

“Businesses must take the threat of a security breach seriously, and they must do more to protect consumers’ data.”

Strook & Strook & Lavan LLP represented Zappos.

A spokeswoman for Zappos told Bloomberg BNA Jan. 8 that the company had no comment on the settlement.

To contact the reporter on this story: Donald G. Aplin in Washington at

To contact the editor responsible for this story: Katie W. Johnson at

Full text of the assurance of voluntary compliance is available at