In a continued pursuit for cybersecurity compliance, New York Attorney General (AG) Letitia James has sued Dunkin’ Brands, Inc. (franchisor of Dunkin’ Donuts) over two data breaches in 2015 and 2018, accusing the company of mishandling a series of cyberattacks that together compromised more than 320,000 customer accounts.
In the complaint filed last week, AG James alleges that Dunkin’, by failing to notify consumers of the breaches or to take sufficient steps to investigate and safeguard consumer data, violated not only its internal data security procedures but also New York data breach notification and consumer protection laws.
In 2015, Dunkin’ was the target of a series of brute force attacks, in which automated software was used to gain access to accounts by guessing various combinations of usernames and passwords. The lawsuit alleges that despite being notified of these attacks by one of its mobile app developers, Dunkin’ did not notify its customers – in violation of the New York data breach notification law – nor did it conduct any security protocols to prevent future attacks, such as resetting passwords or freezing accounts.
The complaint alleges that the company failed to take any action until 2018, when another vendor informed Dunkin’ of a second data breach. The complaint goes on to allege that although Dunkin’ contacted affected customers the second time around, the company falsely represented in the notifications that a third party had merely “attempted” to log in to the customers’ accounts and that the attempt may not have been successful.
In a press release about the lawsuit, AG James said: “My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
This lawsuit comes on the heels of a recent settlement by AG James with sock start-up Bombas, following an investigation that found the company waited three years to notify customers of a data breach affecting nearly 40,000 accounts. AG James alleged that by failing to notify these consumers and relevant New York agencies “in an expedient time-period, and without unreasonable delay,” Bombas violated New York’s breach notification statute, General Business Law section 899-AA. Under the terms of the settlement, Bombas agreed to pay $65,000 in penalties, as well as improve its cybersecurity systems to prevent similar breaches in the future, such as by conducting thorough and expeditious investigations and providing additional training to employees.
The Dunkin’ lawsuit and Bombas settlement are just two examples of New York’s dedication to data enforcement, and it is clear the attorney general’s office is making cybersecurity a priority. Earlier this year, AG James and her administration pushed for the passage of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act (S.5575B/A.5635), which significantly increases obligations for companies to notify customers upon experiencing a data breach. As discussed in a previous post, the SHIELD Act also imposes “reasonable” security requirements on persons and entities that collect the private information of New York residents.
As data breaches become more prevalent, complex, and severe – and enforcement efforts become more stringent – it is important for companies to be fully prepared and to have a regularly tested incident response plan in place. We also stress that companies should implement, and continuously update, their policies and procedures in order to comply with data security and breach notification requirements.