On January 7, online retailer Zappos.com Inc. reached a long-awaited settlement with nine states over a 2012 data breach that compromised personal and financial information of nearly 24 million of the company’s customers. Pennsylvania Attorney General Kathleen Kane said in a published statement that a hacker was able to access sensitive data pertaining to millions of consumers nationwide after breaching Zappos’ security systems in early 2012. Her office launched an investigation into the data breach shortly thereafter by sending a letter to Zappos’ CEO, seeking detailed information on the breach as well as on the company’s policies for storing sensitive data.
“Consumer privacy is constantly under attack, and companies of all sizes should ensure they have the highest standards for protecting sensitive information,” Kane said. “As a result of our efforts, Zappos customers can be confident that their personal information will be more secure in the future.”
Under the settlement, Zappos agreed to pay more than $100,000 to the states and to implement enhanced privacy policies and security standards. Each of the states is slated to receive just under $12,000 from the settlement pool.
Zappos has also agreed to conduct regular employee training on security policies and to provide the AGs with a report showing current compliance with industry-wide data security standards. Following the announcement of the multistate investigation, Zappos hired an independent third party to conduct an information security audit and to keep the AGs informed of any deficiencies, recommendations, or corrective actions identified.