An online retailer agreed to pay $65,000 in penalties and implement certain remedial data security policies in order to resolve a consumer data breach investigation conducted by the New York Attorney General.

According to Attorney General Letitia James, in September 2014, hackers used malicious software code inserted into the e-commerce platform supporting the website of retailer Bombas LLC ("Bombas") to steal stored credit and debit card information from 39,561 customers. Bombas allegedly discovered the code after two months, but neglected to remove it permanently for another two months. Bombas then failed to notify the 2,971 affected New York resident consumers until May 2018 - more than three years after the breach - in violation of New York General Business Law 899-aa, which requires breach victims to make disclosures to applicable state regulators and affected customers "in the most expedient time possible and without unreasonable delay."

In addition to the settlement payment, Bombas agreed to several injunctive provisions and to implement various remedial data security policies and training regimens to address the threat of future data breaches. Attorney General James noted that Bombas offered the affected customers two years of free credit monitoring, fraud consultation and identity theft restoration services, none of which is required by law.

Commentary / Joseph V. Moreno

While high-profile cybersecurity cases investigated by the Federal Trade Commission are the ones most likely to make the headlines, the Bombas case illustrates that attorneys general and other state authorities are truly on the front lines when it comes to addressing breaches of customers' personal information. It is also a reminder that, in the absence of a national data breach standard, each U.S. state and territory maintains its own breach notification laws each with their own nuances regarding how personal information is defined, what constitutes a breach, who must be notified, what notification should look like, and how quickly notification must occur. Bombas may have settled in New York for a modest amount, but New York residents constituted less than eight percent of the total number of customers potentially impacted by the breach, meaning that other jurisdictions are likely to continue pursuing the retailer. The biggest takeaway from the case is that, in the unfortunate event of a data breach, companies should understand and be prepared to comply with breach notification laws in all fifty states.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.