Saks, Arby's Data Breaches Spur State Legislation
Data breaches aren’t going away anytime soon, and the latest rash of privacy violations has spurred not just consumer concern but state legislation.
This year has already featured major breaches at Saks Fifth Avenue, Arby’s, and JobLink.
U.S. data breaches hit an all-time high in 2016, with nearly 1,100 breaches—a 40 percent increase compared to 2015. They may peak again in 2017, with several high-profile breaches already endangering Americans’ private information.
This year has already featured major breaches at Saks Fifth Avenue, Arby’s, and JobLink. Those breaches may have compromised hundreds of thousands of consumers’ data.
These attacks also prompted the state of New Mexico—previously one of the few states with no data breach notification laws on the books—to finally enact a Data Breach Notification Act.
Saks Breach Allegedly Threatens Tens of Thousands
As first reported by BuzzFeed News last week, Saks Fifth Avenue allegedly posted customers’ email addresses, phone numbers, IP addresses, and product codes (of the times they were interested in purchasing) on unencrypted pages on their website. If true, this vulnerability would have endangered the data of tens of thousands of customers.
“This is as bad as security gets. Everyone is vulnerable.”
A spokesperson for Canada-based Hudson’s Bay Company—which owns and runs the Saks website—told BuzzFeed News, “The security of our customers is of utmost priority, and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses.”
The spokesperson added, “We have resolved any issue related to customer phone numbers, which was an even smaller percent.”
But cybersecurity expert Robert Graham told the site, “This is as bad as security gets. Everyone is vulnerable.”
As a result, many consumers are exploring data breach lawsuits against Hudson’s Bay Company. If you or a loved one have suffered financial or reputational damage as a result of this alleged breach, please contact us today to find out if you might qualify for compensation.
Neiman Marcus Settles Data Breach Lawsuit for $1.6M
Coincidentally, Saks owner Hudson’s Bay Company is reportedly in talks to merge with Neiman Marcus—which recently settled a data breach lawsuit filed by ClassAction.com attorney John Yanchunis for $1.6 million. (If the rumored merger occurs, it may be hard for customers to feel safe using their credit cards at Hudson’s Bay stores.)
The Neiman Marcus breach in December 2013 allegedly exposed the credit card information of 350,000 shoppers. Neiman Marcus claimed the number was much lower, just 9,200 accounts.
Under the terms of the settlement, each member of the class can receive up to $100, while class representatives may receive up to $2,500 for their service.
Mr. Yanchunis has established himself as perhaps the foremost data breach attorney in the country. Recently he was named lead plaintiffs’ counsel in the Yahoo data breach case—the largest class action lawsuit in history, one that includes more than a billion plaintiffs.
New Mexico Finally Passes Data Breach Law
In the wake of these large-scale breaches—along with those of Arby’s and JobLink, among others—the state legislature of New Mexico has finally enacted a piece of cybersecurity legislation: the Data Breach Notification Act, or H.B. 15. That act will now go to Governor Susana Martinez’s desk for her signature.
H.B. 15 states the following:
- Companies and entities must dispose of personal identifying information once those records are “no longer reasonably needed for business purposes.”
- Companies and entities must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.”
- Companies and entities must notify affected parties of a data breach within 45 days of learning of it. That said, no notice is required if the breach does not create “a significant risk of identity theft or fraud.” (“A significant risk” is something attorneys will presumably hash out in the courts.)
- If a breach impacts more than 1,000 New Mexico residents, the attorney general and credit bureaus must also be notified.
If the above measures seem fairly common-sense, they are. All but three states—New Mexico, Alabama, and South Dakota—have similar data breach laws on the books. With New Mexico joining the rest of the country in the 21st century, that leaves just Alabama and South Dakota’s consumers relatively unprotected.
If you or a loved one fell victim to fraudulent credit card charges and/or identity theft as result of a data breach, contact an attorney today for a free, no-obligation legal consultation.