On January 7, 2015, attorneys general for Pennsylvania, Connecticut, Florida, Arizona, Kentucky, Ohio, Maryland, Massachusetts, and North Carolina announced a settlement with Zappos.com Inc. related to a 2012 breach of the company’s computer security systems. That breach placed personal data for millions of nationwide customers at risk.
By the settlement, Zappos agreed to pay a total of $106,000 to the nine states and to enhance its privacy policies and security standards. According to an announcement by the Florida Attorney General, Zappos is required to “[m]aintain and comply with its information security policies and procedures”; “[p]rovide the attorney generals with its current security policy”; “[p]rovide the attorney generals copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard for two years”; “[h]ave a third party conduct an audit of its security of personal information”; and “[p]rovide relevant training to employees.”
The Zappos settlement illustrates that businesses should be mindful of the data breach laws of all states that they operate in. The nine states participating in the Zappos settlement have data breach laws that impose various obligations on businesses. Businesses may not be aware they are subject to the data breach law of more than one state, and they should take care to identify and comply with all applicable data breach laws. Failure to do so may result in multi-state liability and litigation.
The obligations imposed by the Zappos settlement highlight the importance of obtaining an effective cyberinsurance policy. Under the Zappos settlement, Zappos must train its employees, prepare reports to the attorneys general, and hire professionals to conduct the required information security audit. Traditional insurance forms may not cover the costs of such obligations, and cyber-insurance may mitigate those and other costs associated with a data breach. Obtaining an effective cyberinsurance policy prior to a data breach may save a business hundreds of thousands of dollars, if not more.
As stated by the Massachussets Attorney General in announcing the settlement, “Businesses, including online retailers, must appropriately protect their customers’ information by guarding against data breaches.” The Zappos settlement should remind businesses of the costs that they may incur if they do not act in compliance with data breach laws and do not take preemptive measures to mitigate the cost of data breaches.