Missouri AG Defends Breached Company as Victim

Published On July 16, 2013 | By Randy Sabett | Data Security, Litigation, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

GROCERYLike most states, Missouri has in place a data breach notification law that requires any entity that experiences a data breach involving covered personal information to “provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach” and to provide such notification “without unreasonable delay.”  In one lawsuit against Schnucks, a grocery store chain based in St. Louis, a group of class action plaintiffs allege that they were not notified in a timely manner of a breach.  In an interesting recent development, however, reports indicate that the Missouri Attorney General has announced that Schnucks, did not violat

 

e Missouri laws the address data security.  In its investigation, the AG’s office stated that Schnucks “was itself a victim of criminal wrongdoing.”  In this case, the “wrongdoing” involved a breach of Schnucks security that led to exposure of at least 2.4 million credit and debit card between December of 2012 and March of 2013.  The press secretary for the Missouri attorney general reportedly said “[a]fter reviewing the records and speaking with forensic investigators, we did not find that Schnuck Markets violated Missouri laws regarding data security.”

 

Schnucks reportedly hired a forensic investigator sometime in March, contained the breach on March 30th, but didn’t announce the breach until April 15th (providing notice via its website).  While some may argue that such a delay exceeds the legal requirements, Missouri (again, like many other states) has a provision in its data breach law the allows notice to occur in a way that is “[c]onsistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”  Since the law does not specify an actual time frame, it will be interesting to watch this case as it develops further.

 

Seal of Missouri.

Seal of Missouri. (Photo credit: Wikipedia)

In addition to the class action mentioned above, at least five other cases are pending in the breach that involved almost 80 store locations.  Despite the announcement by the Missouri AG, Schnuck’s will need to continue defending itself against a whole host of claims, including that it breached: (a) the Missouri data breach law, (b) the Missouri Merchandising Practices Act (including allegations that its security practices were not adequate), (c) the Illinois Personal Information Act, (d) the Illinois Consumer Fraud and Deceptive Practices Act (including allegations that its security promises were broken), and (e) its duty to protect such information, leading to claims of negligence.  More coverage to follow, including the impact of the Missouri AG’s announcement.

 

Enhanced by Zemanta

About The Author

Randy V. Sabett joined ZwillGen as Counsel in 2011. He advises clients on information security, privacy, IT licensing, and intellectual property. Randy has over 20 years of infosec experience, including as an NSA crypto engineer and a CISSP. He works closely with companies in helping them develop strategies to protect and exploit their information and IP based on various evolving business models, including SaaS, mobile applications, cloud, and more traditional client/server architectures. Specific areas on which he focuses include information security, privacy, IT licensing, IP strategy, big data, metrics, active defense, venture capital, legislative matters, government contracting, digital and electronic signatures, federated identity, state and federal information security and privacy laws, identity theft, and data breaches. He also drafts and negotiates a variety of technology transaction agreements.

Leave a Reply

Your email address will not be published. Required fields are marked *