Photo of Carmen Tracy

Email
(202) 342-8639
Bio

43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide. The data breach, discovered in 2014, resulted in access to over 370,000 Neiman Marcus credit cards, at least 9,200 of which the states alleged were used fraudulently.

In addition to a monetary settlement of $1.5 million, Neiman Marcus has agreed to implement a number of security-relatedinjunctive terms, including:

  • Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
  • Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
  • Maintaining working agreements with two separate, qualified Payment Card Industry forensic investigators;
  • Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
  • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company’s business; and
  • Devaluing payment card information, using technologies like encryption and tokenization, to obscure payment card data.

Neiman Marcus must also obtain an information security assessment and report from a qualified third-party professional and detail any corrective actions that it takes. The full settlement report is available here.

This settlement follows another multistate resolution with Adobe (here), highlighting the interest and monitoring by State Attorneys General on companies’ data security programs and steps taken to prevent, detect, and remediate data breaches. This most recent case is a good reminder to take steps to make sure you have an appropriate data security program in place, and that your records meaningfully reflect the comprehensive steps taken to address cyber incidents that may arise.

California Attorney General Xavier Becerra announced yesterday that the California Department of Justice will hold a series of six public forums on the California Consumer Privacy Act (CCPA).  The hearings will take place during January and February of this year and will give the public an initial opportunity to comment on the requirements set forth by the CCPA and the regulations the Attorney General must adopt on or before July 1, 2020.

The CCPA was passed in June of this year, and gives California residents specific privacy rights related to their online activities. Starting January 1, 2020, businesses will be required to comply with a number of provisions including requirements to disclose data collection and sharing practices to consumers, grant consumers a right to request deletion of their data, grant consumers a right to opt out of the sale of their personal information, and a prohibition on selling personal information of consumers under the age of 16 without explicit consent.

The CCPA requires the Attorney General to “solicit broad public participation” and adopt regulations regarding issues such as the definition of personal information, considering changes in technology and data collection practices, procedures for how a consumer can submit a request to opt out of the sale of his or her personal information, and procedures for businesses to determine whether a consumer’s request for information is verifiable.

The Attorney General’s announcement is particularly important because CCPA enforcement will not begin until six months after the promulgation of these regulations, or July 1, 2020, whichever is sooner.  These public forums indicate that Attorney General Becerra’s office is taking steps to adopt these rules, meaning CCPA enforcement may come sooner rather than later.

These hearings will serve as the first public forum in which businesses and members of the public can voice their thoughts or concerns about the required regulations. Members of the public who would like to speak at the forums can, but are not required to, register online. Comments may also be submitted via mail or email. A full schedule of the forums can be found here.

Kelley Drye is happy to assist if your business is considering whether to submit comments concerning the CCPA regulations or enforcement.  These forums present a critical opportunity for any stakeholder interested in California privacy law and enforcement to have their voices heard.  For more information on the CCPA and how it may affect your business, please visit our past blog posts here and here.

Last week, Gonzalo wrote about the letter Truth in Advertising sent to the FTC, urging the Commission to investigate Diageo’s use of influencers to market Ciroc vodka on Instagram. We also learned last week that the Humane Society sent a similar letter to the FTC requesting that Commission initiate an investigation of Pilgrim’s Pride for its treatment of chickens.  These complaints got us thinking – how often are third parties successful in instigating regulatory activity?

Of course, without knowing the facts, it is impossible to know whether the complaint allegations have merit.  We do know, however, that many similar complaints have been filed asking the FTC to look into a company’s practices.  For example, with regard to the subject of animal welfare, we have seen complaints that include allegations of deceptive advertising relating to puppy sellers and pork producers. Similar claims have also been filed by PETA (example here) and Mercy for Animals (example here). These complaints have not usually led to litigation or negotiated consent orders.

That is not to say that these complaints do not result in some action. For example, last year, after four consumer groups urged the FTC to investigate and bring enforcement actions regarding the use of influencers on Instagram, the FTC sent more than 90 letters to companies and influencers, reminding the recipients of their legal obligations. And in 2016, after HSUS urged the FTC to take action against companies claiming “faux fur” (example here), the FTC released a blog post warning consumers about the risks (details here).

Even without FTC action, complaints themselves may have an effect on the company involved. As another example, in 2013, Tyson Foods announced a commitment to the humane treatment of animals and formed an independent advisory panel to help them pursue this mission after the Humane Society and the Animal Legal Defense Fund both filed FTC complaints against them. Full story here.

Also, in the area of dietary supplement advertising, the FTC has maintained a strong interest in the crackdown against false advertising of health claims, and they have taken action when urged to do so by third parties.  CSPI filed a complaint asking for the FTC and FDA to file claims against dietary supplements holding themselves out as opioid withdrawal aids and were successful in getting the action pursued (here).

So, while third party complaints don’t always (or even usually) lead to formal enforcement action, they do often result in action.