Governance & Risk Management , Incident & Breach Response , Privacy
Settlement in Zappos Breach Case
9-State Agreement Requires Online Retailer to Beef Up SecurityOnline shoe and clothing retailer Zappos has reached a settlement with nine state attorneys general over a 2012 data breach that exposed the personal details of more than 24 million customers.
See Also: Gartner Market Guide for DFIR Retainer Services
Zappos has agreed to pay a total of $106,000 to the states and take several steps to protect its customers' information, Massachusetts Attorney General Martha Coakley says. In addition to Massachusetts, the settlement involves Arizona, Connecticut, Florida, Kentucky, Maryland, North Carolina, Ohio and Pennsylvania.
In their inquiry into the breach, the attorneys general questioned the effectiveness of Zappos' measures to protect the confidentiality and security of private information.
While some may perceive the settlement to be a slap on the wrist, it's important to consider more than just enforcement actions and monetary fines, says Scot Ganow, a privacy and security attorney at the law firm Faruki Ireland and Cox PLL. "Zappos has spent the last three years being a punching bag poster child for bad information security practices, and probably lost business as a result," he says.
The company's recovery also most likely includes spending money on brand rehabilitation, rebuilding customer loyalty, and spending money on attorneys to defend them, Ganow says. "And don't think the compliance requirements the company agreed to implement, to include external audits, are cheap either," he says.
The Zappos incident shows the financial risks of failing to properly fund and staff information security programs. "The PR and business fallout can often cost you more than the enforcement action or settlement," Ganow says.
Breach Details
When it disclosed the breach in January 2012, Zappos said that a criminal gained access to certain parts of its network through one of the company's servers in Kentucky. The data breach resulted in unauthorized access to the following customer account information: names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or the cryptographically scrambled passwords (but not the actual passwords).
Later that month, the state attorneys general demanded the retailer provide more details about the breach, raising concerns about the risk of identity theft, fraud, targeted e-mail phishing or other scams (see: States Ask Zappos for Breach Details).
But there was no evidence that full credit or debit card numbers or other payment data was compromised in the breach, Coakley says.
Settlement Requirements
Under the terms of the nine-state settlement, Zappos is required to:
- Maintain and comply with its information security policies and procedures;
- Provide the attorneys general with its current security policy regarding customer information;
- Provide copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard for two years;
- Have a third party conduct an audit of its security of personal information, provide the audit report to the attorneys general, and address any identified deficiencies; and
- Provide annual training to employees regarding its security policies.
"Businesses, including online retailers, must appropriately protect their customers' information by guarding against data breaches," Coakley says. "Our office will continue to hold retailers accountable for failing to follow their own policies regarding consumer data that they maintain, and make sure that all companies have reasonable data security measures in place."
Zappos has declined to comment on the details of the settlement.