Bombas Settles with NYAG Over Credit Card Data Breach

Advertisement

Modern sock maker, Bombas, recently settled with New York over a credit card breach, agreeing to pay $65,000 in penalties.  According to the NYAG, malicious code was injected into Bombas’ Magento ecommerce platform in 2014.  The company addressed the issue over the course of 2014 and early 2015, and according to the NYAG, determined that bad actors had accessed customer information (names, addresses and credit card numbers) of almost 40,000 people. While the company notified the payment card companies at the time, it concluded that it did not need to notify impacted individuals because the payment card companies “did not require a formal PFI or otherwise pursue the matter beyond basic questions.”

In 2018, Bombas updated its cyber program, causing it to “revisit” the incident, deciding to notify impacted individuals and attorneys general. The NYAG concluded that the company had delayed in providing notice in violation of New York breach notification law, which requires notification “in the most expedient time necessary.” In addition to the $65,000 penalty, the company has agreed to modify how it might handle potential future breaches. This includes conducting prompt and thorough investigations, as well as training for employees on how to handle potential data breach matters.

Advertisement

Putting it into PracticeThis settlement is a reminder to companies to ensure that they have appropriate measures in place to investigate potential breaches, and understand their notification obligations.

 

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.
For more on financial breaches, please see the Financial Institutions & Banking page on the National Law Review.

Advertisement

Advertisement

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.