On January 26, New York Attorney General Eric Schneiderman announced a settlement with Acer Service Corporation over an alleged data breach involving more than 35,000 credit card numbers, including the credit card information and other personal information of 2,250 New York residents.  As part of the settlement, Acer agreed to pay $115,000 in penalties and to improve its data security practices.  The penalty amounts to approximately $50.12 per New York resident potentially affected.

Acer is a computer manufacturer based in Taiwan.  According to the A.G.’s press release, Acer maintained a website that had numerous security vulnerabilities.  For example, between July 2015 and April 2016, an Acer employee had enabled a debugging mode on Acer’s e-commerce platform, during which time the website saved all information provided by customers in an unencrypted format.  The unencrypted information included customers’ full names, home addresses, email addresses, credit card numbers, card expiration dates, card verification numbers, user names, and passwords.  Additionally, Acer erroneously configured its website to allow directory browsing by unauthorized users.  This configuration allowed external viewing of and access to subdirectories on the website using a simple web browser, according to the A.G.

In January 2016, Discover Card analyzed hundreds of fraudulent credit card transactions and determined that the fraudulent activity began subsequent to  consumers’ legitimate transactions with Acer.  This is known as a “common point of purchase” and indicates that Acer was potentially the target of a cyber-attack resulting in a compromise of credit card information. 

The settlement requires Acer to maintain reasonable security policies designed to protect consumers’ personal information, including:

1.     Designating an employee or employees to coordinate and supervise its program designed to protect the privacy and security of personal information;

2.     Designating an employee or employees to be notified whenever any personal information is saved to or stored on Acer’s file system in unencrypted form;

3.     Annual employee training to educate employees who are responsible for handling personal information about data security, the importance of consumer privacy, and their duty to help maintain its integrity;

4.     Providing training in data breach notification law to all staff who are responsible for entering, maintaining, storing, or transferring personal information, and responding to events involving unauthorized acquisition, access, use, or disclosure of personal information;

5.     Identifying material risks to the security and confidentiality of personal information that are reasonably likely to result in the unauthorized disclosure, misuse, copying, alteration, destruction, or other compromise of such information, including through the regular review of security industry news sources for newly identified security vulnerabilities;

6.     Designing and implementing reasonable safeguards to control the risks identified through risk assessment, including use of multi-factor authentication for remote access to Acer computer systems, implementing an intrusion detection system, and conducting penetration testing (at least annually) and vulnerability assessments (at least quarterly);

7.     Regular testing of the effectiveness of the safeguards’ key controls, systems, and procedures; and

8.     Developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the agreement and requiring service providers by contract to implement and maintain appropriate safeguards.

The New York Attorney General’s office has been a leader in prosecuting data breaches.  In August 2016, the A.G. announced a settlement  with EZContactsUSA.com over an incident that involved the potential exposure of over 25,000 credit card numbers and other card holder data.  EZContactsUSA.com agreed to pay the A.G.’s office $100,000 to resolve the investigation.  In terms of dollar amounts and requirements to enhance security controls, the Acer settlement is similar to the EZContactsUSA.com settlement.