On March 15, 2022, the Federal Trade Commission (“FTC”) issued a proposed settlement with online custom merchandise platform CafePress in connection with the company’s alleged: (1) failure to implement reasonable security measures to secure consumers’ Personal Information; and (2) attempt to cover up a significant 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to victims of the data breaches. The FTC’s Complaint alleges that CafePress misrepresented its security practices and unfairly failed to implement reasonable security measures to protect the Personal Information of consumers and merchants stored on the company’s systems. Although similar in content to previous FTC orders, the current order addresses a myriad of unique provisions and provides a glimpse into the FTC’s future enforcement of cybersecurity issues.
In April, the Federal Trade Commission settled charges against Progressive Leasing, a company that markets virtual rent-to-own payment plans to retail stores nationwide. Unlike traditional rent-to-own companies, Progressive does not operate its own brick-and-mortar stores. Instead, Progressive markets its rent-to-own payment plans to consumers who shop at certain retail stores or websites, primarily those in…
The Federal Trade Commission’s (FTC) recent $5 billion settlement with Facebook is unprecedented in multiple respects:
- The $5 billion penalty represents the largest privacy and data security settlement in history – it is almost 20 times larger than the recent Equifax Inc. settlement and dwarfs recent EU data protection enforcement actions.
- As part of the settlement, new corporate governance measures relating to privacy and data security will be required, including an independent committee of the board of directors, with specific nomination requirements and subject matter coverage. This will place pressure on many boards and organizations to freshly examine information governance risk.
- The settlement also requires executive certifications, which, if modeled by other companies, will trigger dramatic changes in accountability as executives turn to rely on experts, internal compliance teams, audit and related expertise for assurance and attestation in order to avoid civil and criminal penalties and derivative litigation.
The signaling effect of the settlement to the broader business community intended by the primary privacy regulator in the United States cannot be overstated. Similar enforcement actions, such as individual prosecutions in Europe under the EU Data Protection Directive, triggered immediate response and attention from corporations just as the emergence of breach notification laws resulted in massive new investments in information security programs in the United States.…
The U.S. Securities and Exchange Commission (SEC) recently settled two initial coin offering (ICO) enforcement actions grounded on the sale of unregistered securities. The two settlements, one with CarrierEQ Inc. (or AirFox) and the other with Paragon Coin Inc., are the first time the SEC has imposed civil penalties on companies solely for offering digital…
In a span of a few weeks in early January 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced two major settlements under the Health Insurance Portability and Accountability Act (“HIPAA”) relating to the breach of protected health information (“PHI”). Neither settlement included an admission of any liability, but they included significant fines and mandated that additional measures be taken to protect PHI.
One of the investigations was triggered by alleged untimely notification of a breach of the PHI of 836 individuals by a large health care network. The health care network discovered that paper-based operating room schedules with PHI went missing from one of its surgery centers October 22, 2013, but did not notify the OCR until January 31, 2014. The notification delay was apparently because of miscommunication between its workforce members. Citing the 60-day notice deadline in the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), the OCR investigation concluded that the notifications to OCR that affected individuals (on February 3, 2014) and required media outlets (on February 5, 2014) were roughly 40 days overdue. OCR also reviewed notifications provided by the health care network in regard to smaller breach incidents in 2015 and 2016, and concluded that those notifications were not timely either.
Continue Reading OCR’s Latest Health Breach Investigations Yield Big Settlements
Still recovering from its 2013 data breach, Target Corp. agreed to a $39 million settlement with a class of banks suing the well-known retailer, marking the settlement as the first class-wide data breach pact ever reached on behalf of financial institutions.
Target’s data breach exposed 40 million credit and debit cards to fraud during the 2013 holiday season. The Minneapolis-based company’s breach still ranks among the most high-profile data incidents to hit retailers in recent years.
The class-wide pact stems from a consolidated class action complaint filed in August 2014 to recover an estimated $200 million in losses stemming from the breach, including costs to reimburse fraudulent charges and issue new payment cards. The complaint alleges that Target failed to take precautions to protect consumer data and violated the Minnesota Plastic Card Security Act.
Continue Reading Target Agrees to $39 Million Settlement with Credit Card Issuers’ Data Breach Claims
More than a year-and-a-half after Target’s December 2013 announcement of a massive data breach, the retailer has reached an agreement with Visa, whereby it will reimburse Visa and certain affected card issuers up to $67 million for expenses incurred in connection with the breach. This will include costs associated with reissuing cards. The agreement comes three months after the company’s proposed $19 million settlement with MasterCard fell through as not enough banks accepted the deal. The MasterCard deal required the approval of 90 percent of banks representing cardholder accounts that were affected by the breach. The Visa deal is less likely to fall apart because it was conditioned on a majority of issuers entering into direct settlements with Visa and Target, which Visa has since certified. According to sources within the company and at MasterCard, the retailer is also renewing efforts to settle with MasterCard on a similar basis.
Meanwhile, a class certification motion hearing on behalf of the financial institution plaintiffs is scheduled to be held September 10, 2015. According to lead counsel for the plaintiffs, Charles Zimmerman of Zimmerman Reed PLLP, plaintiffs seek to hold Target accountable for damages “far greater than what has been offered under this settlement.” Zimmerman further contends that “[j]ust as with the proposed MasterCard settlement… [the Visa deal] was negotiated under a veil of secrecy without the involvement of the court or the court-appointment legal representatives of financial institutions.”…
Continue Reading Target Reaches $67 Million Settlement with Visa over Data Breach Claims