Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Jan. 8 — Zappos.com Inc. and nine states Jan. 7 announced a no-fault assurance of voluntary compliance settlement of enforcement actions related to a hacking breach of the online shoe and clothing retailer revealed in 2012.
Under the agreement, Zappos—a subsidiary of Amazon.com—will pay a total of $106,000 to the attorneys general of Arizona, Connecticut, Florida, Kentucky, Maryland, Massachusetts, North Carolina, Ohio, and Pennsylvania. The distribution of the funds to each of the states will be determined by the attorneys general, and under the terms of the agreement may be used to cover the costs of the enforcement action, fund consumer privacy efforts or any other purpose.
The Las Vegas-based company also agreed to data security improvements, new oversight and reporting requirements and employee training.
On Jan. 15, 2012, Zappos announced that it would notify 24 million customers of a hacking incident of its computer servers in Kentucky, which resulted in the release of customer names; e-mail, billing, and shipping addresses; phone numbers; the last four digits of credit card numbers; and “cryptographically scrambled” passwords.
Within a week, attorneys general from the nine states had opened an enforcement investigation into the hacking breach.
The first of several putative consumer class actions was filed the day after Zappos revealed the breach.
In June 2012, multiple complaints from across the country were consolidated in the U.S. District Court for the District of Nevada. On Nov. 19, 2014, the court stayed the proceedings pending further mediation efforts.
In addition to the payment, Zappos agreed to:
• maintain and comply with its information security policies and procedures;
• provide the attorneys general with its security policy and changes to the policy for the next two years;
• provide the attorneys general with copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard for two years;
• within 180 days, have a third party conduct an audit of its security of personal information;
• provide the attorneys general with the independent audit report and if the report identifies problems, provide a timetable for implementing a corrective action plan;
• provide a copy of the assurance of voluntary compliance to all employees engaged in information security for the company and to all employees at the level of vice president or above; and
• provide annual information security training to relevant employees.
“When you entrust your personal information to a business, you expect that business to keep it safe,” North Carolina Attorney General Roy Cooper (D), whose office led the enforcement effort, said in a Jan. 7 statement.
“Businesses must take the threat of a security breach seriously, and they must do more to protect consumers’ data.”
Strook & Strook & Lavan LLP represented Zappos.
A spokeswoman for Zappos told Bloomberg BNA Jan. 8 that the company had no comment on the settlement.
To contact the reporter on this story: Donald G. Aplin in Washington at mailto:%email@example.com
To contact the editor responsible for this story: Katie W. Johnson at firstname.lastname@example.org
Full text of the assurance of voluntary compliance is available at http://op.bna.com/pl.nsf/r?Open=dapn-9skjbq.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)