The New York Attorney General’s Office (NYAG) reached a Consent and Stipulation Agreement with Dunkin’ Brands, Inc. (Dunkin), which obligates the company to implement and maintain a comprehensive information security program to protect customers’ private information. The terms of the consent agreement are similar to the terms New York reached with Zoom earlier this year regarding inadequate data security practices, and strongly resemble the reasonable security measures described in the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).
Neither agreement mentions the SHIELD Act, but both agreements include promises to comply with key elements contained in it. These agreements, as well as California’s legislative efforts, are creating a baseline for future enforcement cases on the adequacy of information security programs and the promises companies make to protect consumer data.
Dunkin, which owns the Dunkin’ Donuts brand and franchises Dunkin restaurants, was victimized by credential stuffing attacks in October of 2018 and January 2019. Credential stuffing describes a cyber-attack where hackers take combinations of usernames and passwords leaked at other sites and use them to gain (illegal) access on accounts on new sites. DD Perks account information.
The attack gave hackers access to customer’s DD Perks rewards accounts. The information available from these accounts typically includes a user’s first and last names, email address (also used as username), a 16-digit DD Perks account number, and a DD Perks QR code.
In September 2019, the New York Attorney General’s Office (NYAG) filed a complaint against Dunkin alleging that the company’s data security practices violated NY General Business Law (GBL) §§ 349, 350 and 899-AA. Sections 349 and 350 are New York’s longstanding consumer protection laws, prohibiting deceptive acts and practices and false advertising, respectively. Section 899-AA is New York’s data breach notification law, which was revised in 2019 by the SHIELD Act.
The complaint alleged that Dunkin violated its own data security policies and misled consumers regarding the company’s data security practices and procedures. Specifically, the complaint alleged that Dunkin failed to: respond appropriately to reports that customer’s DD Perks rewards accounts were being hacked; protect consumer data; and implement appropriate technical safeguards.
Companies outside New York’s jurisdiction should be mindful that unfair and deceptive practices laws exist in most States and can be enforced by the by the State’s attorney general. The Federal Trade Commission (FTC) Act also prohibits unfair and deceptive practices under § 5 of the Federal Trade Commission Act. The FTC defines ‘deceptive’ practices to involve “a material representation, omission or practice that is likely to mislead a consumer acting reasonably in the circumstances” and practices are ‘unfair’ when they are likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
Dunkin accepts a financial penalty and agrees to several affirmative obligations through 2026
The consent agreement calls for Dunkin to pay a $650,000 penalty, notify customers whose Dunkin rewards accounts may have been affected by the data breach and to reset the passwords of customers who may have been affected. Dunkin must also comply with New York’s Deceptive acts and practices and breach notification laws (GBL §§ 349 and 899-AA) and refrain from misrepresenting its data security practices. However, it is the other affirmative obligations in the consent agreement that are noteworthy for companies possessing customer data.
Through this consent agreement, Dunkin will become the second company this year (Zoom’s agreement with the NYAG being the first) that accepted affirmative obligations not to misrepresent the company’s efforts to protect customer information and to implement an information security program to protect consumer’s data.
Like Zoom, Dunkin is required to “maintain a comprehensive information security program” that includes reasonable (1) technological, (2) administrative and (3) physical safeguards. Regular readers of Byte Back will recognize the language describing information security programs from our previous analysis of the essential statutory elements in New York’s SHIELD Act that must be satisfied to constitute reasonable safeguards to protect the security, confidentiality and integrity of the private information associated with New York residents. GBL § 899-BB(2). Dunkin agrees that its obligation to maintain a comprehensive information security program and to investigate and respond to potential data security incidents will remain in effect for six years after the agreement is approved by the court.
What could the enforcement future hold based on the Dunkin and Zoom agreements?
In the absence of Federal legislation regarding data privacy and information security requirements for private sector entities, the laws enacted in the economic-powerhouse States (e.g., California and New York) are becoming the de facto standards for companies to follow, and the consent agreement is one more example that puts companies on notice that they have an ever-evolving and never-ending duty of care to implement information security procedures that protect sensitive, non-public consumer data from a data breach.
In addition to the Dunkin and Zoom agreements, New York’s Division of Financial Services (NYDFS) announced an enforcement action against a title insurance company that was licensed in New York. DFS announced the enforcement action in July, under the DFS cybersecurity regulation. DFS alleges that the title company did not remedy a cybersecurity vulnerability it had discovered in December 2018. The potential penalties under this enforcement action are $1,000.00 per instance of exposed personal information, and should motivate other DFS-regulated entities to act promptly to find and correct security vulnerabilities.
For the near-term at least, California has taken a different approach to New York’s use of investigations and enforcement actions to establish a compliance baseline. While the California Consumer Privacy Act (CCPA) has garnered nation-wide attention for the requirement that companies disclose the personal information of California residents they collect and/or sell, CCPA also authorizes penalties for covered businesses who suffer data breaches due to failure to “implement and maintain reasonable security procedures and practices,” but does not define or explain what reasonable security procedures and practices look like.
However, in 2016, the California Attorney General published a “Data Breach Report,” which explicitly referenced the Center for Internet Security’s twenty data security controls (CIS Controls) as an example of reasonable security procedures and practices. Presumably, companies that implement the CIS Controls would be able to mitigate their risk of enforcement actions under the CCPA in the event of a data breach.
New York’s agreements with Dunkin and Zoom appear to be establishing reasonable security practices through incremental changes
New York’s and California’s compliance and enforcement approaches may be different, and the two States rely on different statutes and regulations to raise the bar on compliance. Nevertheless, these States are laying the foundation, brick by brick, through enforcement agreements and legislation, for higher expectations on the cybersecurity practices and procedures private sector companies must follow.
Decision makers who choose to ignore these developments, and the lawyers who advise them, should heed Judge Learned Hand’s ruling in The T.J. Hooper tugboat radio case. In that case, Judge Hand wrote that universal adoption of new technology is not required before the standard of care for negligent omissions is established.