New York Attorney General Letitia James recently announced that her office has filed suit against Dunkin’ Donuts arising from a 2015 data breach that affected nearly 20,000 customers. Its lawyers will need a lot of Dunkin’s heralded coffee during the many late nights and early mornings it will take to resolve this one.
We had previously written that New York is ramping up efforts to combat cybercrime, including passage of the cybersecurity-specific SHIELD Act, part of which took effect on October 23, and the recent formation of the Bureau of Internet and Technology within the Attorney General’s Office. This law suit against Dunkin’ Donuts is part of that trend, and New York businesses and companies that access information of New York residents should take note and take steps to put their cybersecurity houses in order.
In May 2015, the Attorney General contends, Dunkin’ customers reported that it appeared that attackers gained access to customer accounts. An investigation revealed that the attackers got into the accounts of customers through “brute force attacks” in which the attackers repeatedly attempted to break passwords and enter accounts, often using usernames and passwords stolen from other websites. Where the passwords comprised names of pets, spouses and children whose names were used in social media posts, the attackers’ tasks were easier.
But that did not, according to General James, excuse Dunkin’ from utilizing basic security safeguards for customers who held accounts with the company or from misrepresenting the safeguards Dunkin’ had put in place for those accounts.
The law suit was brought under two provisions of New York’s General Business Law. General James contends, pursuant to New York General Business Law Sections 349 and 350, that Dunkin misrepresented to consumers that it had provided “reasonable safeguards” to protect personal information when customers first signed up for an account. The second prong of the law suit is an allegation that Dunkin’ violated General Business Law Section 899-aa, New York’s breach notification statute. The claim avers that Dunkin’ failed to timely notify consumers that their information had been disclosed without authorization, failed to advise them to change their passwords and freeze their accounts and did not thoroughly investigate and remediate the security weaknesses in a timely manner.
The law suit seeks “injunctive relief, full restitution to customers, civil penalties and other remedies.” This will be a very expensive wakeup call to Dunkin’ Donuts, but it should also be a caffeine jolt to all businesses in New York and who do business with New York residents’ data that enforcement of cybersecurity protections in New York is happening in real time.
If you have a question or need assistance concerning cybersecurity protection requirements for your business, please contact Kenneth N. Rashbaum.