In Response to How the Company Handled its 2015 Data Breach, NY AG Letitia James Recently Filed a Lawsuit Against Dunkin’ Brands, Inc.
Dunkin’ Donuts is in hot water (not coffee) over its response to a 2015 data breach. New York Attorney General Letitia James recently filed a lawsuit against Dunkin’ Brands, Inc. (Dunkin’), alleging that the coffee-chain franchisor committed fraud by misinforming its customers about the nature of the cyberattack.
“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James argues in a press statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
NY AG Lawsuit Against Dunkin’ Donuts
According to the lawsuit against Dunkin’, customer accounts, created through the Dunkin’ website or free mobile app for Android and iOS devices to manage DD value cards, were targeted in 2015 by a series of “brute force attacks.” The attacks involve repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services. As a result of the brute force attacks, almost 20,000 customer accounts were compromised, and tens of thousands of dollars on customers’ DD cards were stolen.
By May 2015, Dunkin’ personnel were receiving customer reports that their accounts had been hacked. In addition, a third-party app developer for Dunkin’ repeatedly alerted the company to attackers’ ongoing attempts to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised by attackers over just a five-day period.
The Attorney General’s lawsuit alleges that Dunkin’ failed to properly respond to the breach. “Dunkin’ failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen,” the suit alleges. It further maintains that Dunkin’ failed to take steps to protect customers whose accounts had been breached. “Among other failures, Dunkin’ did not notify its customers of the breach, reset their account passwords to prevent further unauthorized access, or freeze the stored value cards registered with their accounts,” the suit states.
In late 2018, a vendor notified Dunkin’ that customer accounts were again compromised, with the attacks leading to the unauthorized access of more than 300,000 Dunkin’ customer accounts, many of which had DD cards associated with them. According to the suit, although Dunkin’ contacted impacted customers, it failed to disclose that customer accounts had been accessed without authorization. Rather, the company stated that a third party had merely “attempted” to log in to the customers’ accounts and that the attempt may not have been successful, according to the suit.
The suit alleges that Dunkin’ violated New York’s data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The state is seeking injunctive relief, full restitution to customers, civil penalties, and other remedies.
Determining When Data Breach Notification Is Required
Dunkin’ Donuts maintains that its investigation failed to conclude that any customer accounts were wrongfully accessed. Accordingly, it determined customer notification was not required.
As the Dunkin’ data breach suit highlights, companies often struggle to determine whether they must inform customers of a data breach. The current regulatory landscape does not make the process any easier. While regulators such as the Securities and Exchange Commission and the Department of Health and Human Services have issued guidance for businesses under their purview, there is no federal law governing data breaches. To fill the void, states like New York and California have enacted their own regulations.
The state-level regulations are not consistent and continue to evolve. In New York, Gov. Andrew Cuomo signed the SHIELD Act into law this summer, which amends the state’s data breach notification requirements.
To meet the challenges of complex and ever-evolving data breach notification requirements, we encourage businesses to stay on top of legal developments and regularly consult with experienced counsel regarding your data security policies and procedures.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, David Einhorn, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Breach of Contract Explained: Types and Consequences
Breach of contract disputes are the most common type of business litigation. Therefore, nearly all New York and New Jersey businesses will likely have to deal with a contract dispute at least once. Understanding when to file a breach of contract lawsuit and how long you have to sue for breach of contract is essential […]
How to Dissolve a Corporation in New Jersey: A Step-by-Step Guide
Closing your business can be a difficult and challenging task. For corporations, the process includes formal approval of the dissolution, winding up operations, resolving tax liabilities, and filing all required paperwork. Whether you need to understand how to dissolve a corporation in New York or New Jersey, it’s imperative to take all of the proper […]
Gross Lease vs. Net Lease: Understanding the Key Differences
Commercial leases can take a variety of forms, which is often confusing for both landlords and tenants. Understanding the different types, especially the gross lease structure, is important when selecting the lease that best suits your needs. One key distinction between lease types is how rent is calculated and paid. This article addresses the two […]
What to Do If You Are Impacted by a Retailer Bankruptcy Part 2
Over the past year, brick-and-mortar stores have closed their doors at a record pace. Fluctuating consumer preferences, the rise of online shopping platforms, and ongoing economic uncertainty continue to put pressure on the retail industry. When a retailer seeks bankruptcy protection, a myriad of other businesses are often impacted. Whether you are a supplier, customer, […]
The Current Administration's Proposals for the Financial Services and Banking Industries Will Affect Your Business
Since his inauguration two months ago, Donald Trump’s administration and the Congress it controls have indicated important upcoming policy changes. These changes will impact financial services policies and priorities. The changes will particularly affect cryptocurrency, as well as banking rules and regulations. Key Regulatory Changes in Cryptocurrency For example, in the burgeoning cryptocurrency business environment, […]
Tips for Commercial Landlords Impacted by Wave of Retailer Bankruptcies Part 1
The retail sector has experienced a wave of bankruptcy filings over the last year. Brick-and-mortar businesses in financial distress include big-name brands like Big Lots, Party City, The Container Store, and Vitamin Shoppe. When large retailers seek bankruptcy protection, they are not the only businesses impacted. Landlords can be particularly hard hit. While commercial landlords […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
