On August 5, the New York Attorney General announced a settlement with Provision Supply, LLC, d/b/a EZcontactsUSA.com over a data breach resulting in the potential exposure of over 25,000 credit card numbers and other cardholder data.  Provision Supply, the operator of EZContactsUSA.com, a Brooklyn-based e-tailer that sells contact lenses and eyewear, agreed to pay $100,000 in penalties and to shore up its data security practices. 

According to the New York A.G.’s press release, EZContactsUSA.com’s website experienced a third-party breach in August 2014.  The company became aware of the breach as much as a year later when its merchant bank informed it that fraudulent charges were being posted to customers’ credit card accounts. 

The A.G. found that EZContactsUSA.com failed to provide notice to its customers or law enforcement officials about the breach, in violation of New York’s data breach notification law.  General Business Law § 899-aa requires that notice be provided to affected individuals and various government agencies in the most expedient timeframe possible and without unreasonable delay. 

The AG’s press release placed great emphasis on EZcontactsUSA’s claims that their website was “100% safe and secure” when, in reality, their website had numerous vulnerabilities.  Executive Law § 63(12) and General Business Law §§ 349 and 350 prohibit misrepresenting the safety and security of a website.  

The settlement requires EZcontactsUSA.com to conduct thorough and expeditious investigations of any future data security breaches, to provide prompt notice of data security breaches to affected New York residents and to New York law enforcement agencies, to maintain reasonable security policies and procedures designed to protect the personal information of consumers in accordance with New York State General Business laws, and to remediate the many security vulnerabilities contained in its website.  EZcontactsUSA.com will also be required to train employees with the most up-to-date data security practices.