A putative consumer class action filed in California state court on Friday the 18th against Petco Animal Supplies Stores Inc. (Petco) and its wholly owned subsidiary PupBox Inc. (PupBox) alleges that between February and August an “unauthorized plugin” on the PupBox website caused the personal and credit card information of approximately 30,000 consumers to be stolen by an unauthorized third party. The complaint asserts, on information and belief, that the cyberattack resulted from the defendants’ failure to encrypt payment card data (PCD) at the point of sale and/or that the defendants “failed to install updates, patches, and malware protection or to install them in a timely manner to protect against a data security breach; and/or failed to provide sufficient control employee credentials and access to computer systems to prevent a security breach and/or theft of PCD.” The complaint further alleges that although Petco first learned of the cyberattack in early August, PupBox customers were not notified of the breach until October, creating a two-month lag during which class members could have attempted to mitigate the damage caused by the breach. The lawsuit alleges violations of the Washington State Consumer Protection Act, the California Unfair Competition Law, the California Consumer Records Act, and common law claims for negligence, negligence per se, breach of implied contract, and unjust enrichment.
Data breaches can be costly to companies in more ways than one. In addition to having to hire a forensic investigator to investigate the breach, companies risk reputational damage, contractual disputes, class action litigation, and potential regulatory investigations. For those financial companies regulated by the federal Gramm-Leach-Bliley Act’s Safeguards Rule or the data security provisions of New York’s Department of Financial Services, their responsibility to secure sensitive information extends to their affiliates and service providers as well.
While cyber insurance policies can provide an array of coverages and are a must-have, preparation is your best defense against a cyberattack. Many financial companies are required to create and maintain an information security program as well as a safeguard compliance program. All companies should be updating software security patches at the first opportunity and actively monitoring their systems for signs of unauthorized intrusions such as phishing exploits that inadvertently reveal passwords or other sensitive information. Sensitive data should be retained for only as long as necessary and stored in an encrypted database with limited access. Contracts with service providers should mandate strong data security practices as well. The time and effort expended on data protection have proven to be well worth the investment.