Visionworks, Maryland Settle Lax Data Security Case

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson

Aug. 20 — Eye care retailer Visionworks Inc. has agreed to pay the state of Maryland $100,000 and improve its security practices following two incidents in which it allegedly misplaced computer servers containing consumers' personal information, the Maryland Office of the Attorney General announced Aug. 19.

The no-fault settlement resolves the office's investigation into two 2014 data breaches at Visionworks stores that affected more than 72,000 Maryland residents, the office said in a statement.

“Devices that contain personal information must be properly secured and discarded,” Maryland Attorney General Brian E. Frosh (D) said in the statement. “Otherwise, the door is open for data to fall into the wrong hands.”

“This case should put businesses on notice that they need to be vigilant on behalf of their customers,” Frosh added.

According to the settlement, Visionworks had determined that no personal information, including health information, was compromised. It notified all affected customers and offered them one year of free credit monitoring.

Unsecured Computer Servers 

While upgrading to fully encrypted servers at its stores in Annapolis, Md., and Jacksonville, Fla., Visionworks didn't adequately secure consumers' personal information, according to the Office of the Attorney General.

The company left the old servers—which contained customer names, addresses, dates of birth, purchasing histories and health insurance information—unsecured in the two stores, the office said. The old servers also contained three days of encrypted credit card data, it said.

Both servers were misplaced by accident and were likely taken to landfills, the office said.

According to the settlement, Visionworks had both expressly and implicitly represented to consumers that it would protect their personal information, including their health information, in accordance with the Health Insurance Portability and Accountability Act and the Maryland Personal Information Protection Act.

By failing to secure the personal information and securely dispose of the information, Visionworks “committed unfair and deceptive trade practices” violating the Maryland Consumer Protection Act, the office said in the settlement.

Regarding the server at the Maryland store, Visionworks said in a statement provided to Bloomberg BNA Aug. 20 that “there is no reason to believe that any of the information residing on this server has been accessed or used inappropriately nor have we received any reports of misuse.” The decommissioned server is now in a local landfill, the company said.

Settlement Terms

In addition to agreeing to pay $100,000 to the state of Maryland, Visionworks agreed to provide, for a period of two years, one year of credit monitoring and identity theft insurance to any patient who contacts it or the Office of the Attorney General regarding the potential disclosure of their personal information.

Visionworks also agreed to:

• not misrepresent the extent to which it protects personal information;

• maintain and dispose of personal information in accordance with HIPAA and the Personal Information Protection Act;

• not dispose of records containing personal information unless it takes “reasonable steps” to protect against unauthorized access;

• use encryption technology to safeguard personal information;

• store decommissioned servers containing personal information in a secure manner;

• not store decommissioned servers containing personal information in its stores “for longer than reasonably required; and

• promptly and securely delete personal information when decommissioning servers.

 

To contact the reporter on this story: Katie W. Johnson in Washington at kjohnson@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Full text of the assurance of discontinuance is available at http://op.bna.com/pl.nsf/r?Open=kjon-9zkp6n.