October 12, the New York Attorney General’s Office announcement that it fined Zoetop, the parent company of fast fashion e-commerce brands Shein and Romwe, $1.9 million for its mishandling of a data breach in 2018. The data breach involved the theft of 39 million Shein accounts and 7 million Romwe accounts. The New York AG determined that the company failed to properly protect consumer data and failed to adequately disclose the extent of the breach to consumers.
The retail sector is a frequent target of cyberattacks. Credentials are the most common type of compromised data in this industry, according to Verizon’s 2022 Data Breach Investigation Report. Attackers beyond the 2018 Zoetop breach stole millions of credentials. The company misrepresented the number of consumers affected by the breach and informed only a small portion of affected customers.
The New York AG pointed to Zoetop’s failure in several areas, including password management, customer information protection, monitoring, and incident response.
“Shein and Romwe need to strengthen their cybersecurity measures to protect consumers against fraud and identity theft. This agreement should send a clear warning to businesses that they need to strengthen their digital security measures and be transparent with consumers, nothing less will be tolerated,” Attorney General Letitia James said in the statement from her office.
Entities that have access to sensitive customer data are bound by confidentiality and breach of notification laws in all 50 US states. The Cyber Incident Reporting for Critical Infrastructure Act 2022 (CIRCIA), enacted in March, requires “Covered Entities to report Covered Cyber Incidents and Ransomware Payments to CISA.” Additionally, all companies that store the personal information of EU residents are subject to compliance with the General Data Protection Regulation (GDPR). How are fines assessed, such as the one Zoetop has to pay to New York State?
“Each major privacy law has a slightly different methodology for determining fines, but the common underlying themes are that more ‘serious’ violations affect the enforcement and amount of fines,” Kim Rivera, legal and commercial director of the fiduciary intelligence company OneTrust, says InformationWeek.
Shortly after the announcement of the Zoetop fine, the New York Department of Financial Services (DFS) determined that health insurance company EyeMed will have to pay a $4.5 million fine to New York State regarding a 2020 phishing attack. The attack resulted in the exposure of hundreds of thousands of consumers’ personal health data. DFS found that EyeMed failed to implement multi-factor authentication and failed to limit user access privileges.
Fines like these call into question whether future data breaches will result in a similar application.
Tony Foley, privacy and cybersecurity legal analyst at information services firm Wolters Kluwer, Legal and Regulatory US, points out that enforcement activity was relatively limited until a few years ago. But that is changing.
“We are certainly seeing an increase in investigations by attorneys general across the country, not to mention increased scrutiny from federal regulators. As a result, I think companies are going to start paying a lot more attention to their data security and incident response programs,” he says.
If enforcement increases, it’s a clear signal that cybersecurity and breach prevention is an important investment for companies protecting consumer data so coveted by malicious actors.
Prevention is the best way to avoid data breach fines. Even if a company experiences a data breach, the preventive measures it has taken will likely impact the severity of the resulting fine. The New York AG cited Zoetop’s “weak digital security measures” in its statement, and the New York DFS also noted EyeMed’s inadequate security measures. Due to their respective agreements with the state, both companies must take steps to improve their cybersecurity.
“If they [companies] make a demonstrably reasonable effort to protect their data in the first place and take all necessary notification and reporting actions required by law if they are nonetheless attacked, they will likely be immune from enforcement action,” Foley asserts.
As Zoetop’s example clearly shows, proper notification of violations is key to avoiding financial penalties.
“Properly notifying authorities and individuals of a data breach can demonstrate an organization’s commitment to data privacy and transparency, and help maintain trust with consumers, while avoiding subsequent penalties,” says Rivera.