Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

New York’s investigation of Dunkin Donuts results in a promise to abide by the SHIELD Act’s requirements

By Erik Dullea
cyber-person
October 2, 2020

The New York Attorney General’s Office (NYAG) reached a Consent and Stipulation Agreement with Dunkin’ Brands, Inc. (Dunkin), which obligates the company to implement and maintain a comprehensive information security program to protect customers’ private information. The terms of the consent agreement are similar to the terms New York reached with Zoom earlier this year regarding inadequate data security practices, and strongly resemble the reasonable security measures described in the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

Neither agreement mentions the SHIELD Act, but both agreements include promises to comply with key elements contained in it. These agreements, as well as California’s legislative efforts, are creating a baseline for future enforcement cases on the adequacy of information security programs and the promises companies make to protect consumer data.

Dunkin, which owns the Dunkin’ Donuts brand and franchises Dunkin restaurants, was victimized by credential stuffing attacks in October of 2018 and January 2019. Credential stuffing describes a cyber-attack where hackers take combinations of usernames and passwords leaked at other sites and use them to gain (illegal) access on accounts on new sites. DD Perks account information.

The attack gave hackers access to customer’s DD Perks rewards accounts. The information available from these accounts typically includes a user’s first and last names, email address (also used as username), a 16-digit DD Perks account number, and a DD Perks QR code.

In September 2019, the New York Attorney General’s Office (NYAG) filed a complaint against Dunkin alleging that the company’s data security practices violated NY General Business Law (GBL) §§ 349, 350 and 899-AA. Sections 349 and 350 are New York’s longstanding consumer protection laws, prohibiting deceptive acts and practices and false advertising, respectively. Section 899-AA is New York’s data breach notification law, which was revised in 2019 by the SHIELD Act.

The complaint alleged that Dunkin violated its own data security policies and misled consumers regarding the company’s data security practices and procedures. Specifically, the complaint alleged that Dunkin failed to: respond appropriately to reports that customer’s DD Perks rewards accounts were being hacked; protect consumer data; and implement appropriate technical safeguards.

Companies outside New York’s jurisdiction should be mindful that unfair and deceptive practices laws exist in most States and can be enforced by the by the State’s attorney general. The Federal Trade Commission (FTC) Act also prohibits unfair and deceptive practices under § 5 of the Federal Trade Commission Act. The FTC defines ‘deceptive’ practices to involve “a material representation, omission or practice that is likely to mislead a consumer acting reasonably in the circumstances” and practices are ‘unfair’ when they are likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

Dunkin accepts a financial penalty and agrees to several affirmative obligations through 2026

The consent agreement calls for Dunkin to pay a $650,000 penalty, notify customers whose Dunkin rewards accounts may have been affected by the data breach and to reset the passwords of customers who may have been affected. Dunkin must also comply with New York’s Deceptive acts and practices and breach notification laws (GBL §§ 349 and 899-AA) and refrain from misrepresenting its data security practices. However, it is the other affirmative obligations in the consent agreement that are noteworthy for companies possessing customer data.

Through this consent agreement, Dunkin will become the second company this year (Zoom’s agreement with the NYAG being the first) that accepted affirmative obligations not to misrepresent the company’s efforts to protect customer information and to implement an information security program to protect consumer’s data.

Like Zoom, Dunkin is required to “maintain a comprehensive information security program” that includes reasonable (1) technological, (2) administrative and (3) physical safeguards. Regular readers of Byte Back will recognize the language describing information security programs from our previous analysis of the essential statutory elements in New York’s SHIELD Act that must be satisfied to constitute reasonable safeguards to protect the security, confidentiality and integrity of the private information associated with New York residents. GBL § 899-BB(2). Dunkin agrees that its obligation to maintain a comprehensive information security program and to investigate and respond to potential data security incidents will remain in effect for six years after the agreement is approved by the court.

What could the enforcement future hold based on the Dunkin and Zoom agreements?

In the absence of Federal legislation regarding data privacy and information security requirements for private sector entities, the laws enacted in the economic-powerhouse States (e.g., California and New York) are becoming the de facto standards for companies to follow, and the consent agreement is one more example that puts companies on notice that they have an ever-evolving and never-ending duty of care to implement information security procedures that protect sensitive, non-public consumer data from a data breach.

In addition to the Dunkin and Zoom agreements, New York’s Division of Financial Services (NYDFS) announced an enforcement action against a title insurance company that was licensed in New York. DFS announced the enforcement action in July, under the DFS cybersecurity regulation. DFS alleges that the title company did not remedy a cybersecurity vulnerability it had discovered in December 2018. The potential penalties under this enforcement action are $1,000.00 per instance of exposed personal information, and should motivate other DFS-regulated entities to act promptly to find and correct security vulnerabilities.

For the near-term at least, California has taken a different approach to New York’s use of investigations and enforcement actions to establish a compliance baseline. While the California Consumer Privacy Act (CCPA) has garnered nation-wide attention for the requirement that companies disclose the personal information of California residents they collect and/or sell, CCPA also authorizes penalties for covered businesses who suffer data breaches due to failure to “implement and maintain reasonable security procedures and practices,” but does not define or explain what reasonable security procedures and practices look like.

However, in 2016, the California Attorney General published a “Data Breach Report,” which explicitly referenced the Center for Internet Security’s twenty data security controls (CIS Controls) as an example of reasonable security procedures and practices. Presumably, companies that implement the CIS Controls would be able to mitigate their risk of enforcement actions under the CCPA in the event of a data breach.

New York’s agreements with Dunkin and Zoom appear to be establishing reasonable security practices through incremental changes

New York’s and California’s compliance and enforcement approaches may be different, and the two States rely on different statutes and regulations to raise the bar on compliance. Nevertheless, these States are laying the foundation, brick by brick, through enforcement agreements and legislation, for higher expectations on the cybersecurity practices and procedures private sector companies must follow.

Decision makers who choose to ignore these developments, and the lawyers who advise them, should heed Judge Learned Hand’s ruling in The T.J. Hooper tugboat radio case. In that case, Judge Hand wrote that universal adoption of new technology is not required before the standard of care for negligent omissions is established.

 

KEYWORDS: cyber security data security hacking passwords SHIELD Act

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Dullea erik

Erik Dullea is a partner in Husch Blackwell LLP’s Denver office and belongs to the firm’s Technology, Manufacturing & Transportation industry group.

 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • attack-cyberenews

    State of New York Sues Dunkin' Donuts Over Undisclosed Data Breaches

    See More
  • risk management freepik

    New York’s DFS publishes a Cyber Insurance Risk Framework

    See More
  • dunkin' donuts

    Dunkin' Donuts settles data breach lawsuit

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • A Leaders Guide Book Cover_Nicholson_29Sept2023.jpg

    A Leader’s Guide to Evaluating an Executive Protection Program

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!