The SEC Takes Action to Protect Retail Investors

By on September 27, 2017

In recent years, retail data breaches have become the norm. The news is filled with stories of nefarious hackers, identity theft, and credit monitoring. A topic that we rarely hear about, however, is the impact a data breach event can have on retail investors. Data breaches can have catastrophic consequences for retailers and, by extension, their investors, as a result of both decreased profits and increased expenses. To address this issue, the SEC has established two new initiatives specifically targeted at protecting retail investors from cybersecurity risks. To learn more, check out the SEC’s September 25, 2017 Press Release, available here.

Filed under Cyber Security, Data Breach, Retailers

Wendy’s May Face Liability for Failing to Upgrade Payment Systems

By and on February 11, 2016

As was previously reported, October 1, 2015 signaled a fraud “liability shift” between credit card issuers and merchants, in which liability for fraudulent credit card transactions began falling on whichever party used the lower level of security and compliance with EMV standards. While merchants are not required to adopt EMV technology (which reads chip cards, as opposed to the less secure magnetic strip cards), in the event of a data breach, their failure to do so can now render them responsible for the costs associated with the fraudulent use of stolen credit card information. This liability shift has created a very strong incentive for merchants to implement EMV chip card readers.

For companies that have not opted to make the EMV transition, lawsuits may begin to abound. One of the first suits targeting a retailer for its failure to keep up with industry standards was filed on February 8, 2016, in the wake of a possible data breach at the nationwide fast food chain, Wendy’s.

On January 27, 2016, Wendy’s announced that it was investigating a possible breach of its point of sale systems, after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. Wendy’s hired a cybersecurity firm to investigate the potential breach – which involved transactions in late 2015 – who discovered malware designed to steal customer payment data on computers that operate Wendy’s payment processing systems in certain locations.

An Orlando, Florida man purporting to be a victim of the Wendy’s breach initiated a class action lawsuit against the company on February 8, 2016, claiming that Wendy’s “lackadaisical” and “cavalier” security measures allowed his debit card data to be stolen and used to purchase nearly $600.00 of merchandise from various retailers. The lawsuit alleges that Wendy’s could have prevented the breach, yet maintained a system that was insufficient and inadequate to protect customers’ data. An attorney representing the plaintiff suggested that Wendy’s failed to incorporate technology allowing for use of chip-enabled cards, and that the lawsuit may expose the danger of failing to adopt such a system.

The threat of similar class action litigation may serve as a wake-up call for retailers who have failed or otherwise delayed in implementing up-to-date security measures. The suit, Jonathan Torres vs. The Wendy’s Company, can be found here.

Filed under Cyber Security, Cybercrime, Data Breach Investigations, Retailers

FTC Charges Data Broker with Theft of Consumers’ Information and Money from Accounts

By on January 22, 2015
Leave a comment

According to a recent Federal Trade Commission complaint, a data broker sold sensitive personal information of hundreds of thousands of consumers – including Social Security and bank account numbers – to scammers who allegedly debited millions from their accounts.  The complaint alleges that data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.

According to the FTC’s website and the complaint, these defendants would collect hundreds of thousands of payday loan applications from payday loan websites.  These website applications, including those bought and sold by LeapLab, contained consumers’ sensitive financial information, names, addresses, phone numbers, Social Security numbers and bank account numbers including routing numbers.

The FTC’s complaint alleges that certain non-lender third parties included marketers that made unsolicited sales offers to consumers via email, text message, or telephone calls.  According to the FTC’s complaint, the defendants had reason to believe these marketers had “no legitimate need” for the sensitive information they were selling. The defendants in the case are alleged to have violated the FTC Act’s prohibition on unfair practices.

The FTC notes that it files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the FTC that a proceeding is in the public interest.  We will monitor this case and provide further updates of interest.

Image courtesy of Flickr by John Taylor.

Filed under Data Breach Investigations, Federal Trade Commission, Merchant/Vendor Data Breach, Privacy Rights, Retailers

20 Million Californians Impacted By Data Breaches in 2013

By on October 30, 2014
Leave a comment

This week, California Attorney General Kamala Harris released the second annual Data Breach Report, which detailed the 167 data breaches reported to her office in 2013. These data breaches collectively impacted nearly 20 million Californians, reflecting the growing menace of cybercrime.

The AG’s Data Breach Report reflects an increase of over 600 percent in the number of affected Californians since the 2012 report. This was largely due to the high-profile Target and Living Social data breaches, which exposed more than 7.5 million Californians. More than half of the 2013 breaches (53 percent) were caused by computer intrusions, described in the report as “malware” and “hacking.” The remaining breaches resulted from the physical loss or theft of laptops (26 percent) or other devices containing unencrypted personal information as well as unintentional errors (18 percent) and intentional misuse by insiders (4 percent).

The AG’s office provides key recommendations to California retailers to prevent future data breaches. Retailers should:

  • update their point-of-sale systems to the safer “chip-enabled” technology;
  • implement appropriate encryption solutions to devalue payment card data; and
  • respond promptly to data breaches.

These recommendations are significant, as the AG report indicates that the retail sector is most heavily targeted by cybercriminals, with 88 percent of that sector’s data breaches the result of criminal enterprises.

Full details can be found in the AG’s report here at pages16-24.

Image courtesy of Wikipedia.

Filed under Cybercrime, Data Breach Report, Retailers