Bombas, a manufacturer of socks, settled with the New York Attorney General over failing to give proper notification of a breach of customers’ credit card data in 2014. Bombas initially addressed the breach in 2014 when it determined that hackers had gained access to the information of nearly 40,000 customers, including names, addresses, and credit card numbers, by inserting a malicious code into Bombas’ ecommerce platform, Magento. Of the nearly 40,000 customers impacted, approximately 3,000 were residents of New York State.

The hackers placed the malicious software in September 2014. Although Bombas did not discover the code until November 2014, it did not take steps to remediate the issue until January 2015. Ultimately, Bombas mistakenly reintroduced the code to the Magento platform before permanently deleting it on February 8, 2015. At the time, Bombas notified only the payment card companies, concluding that the breach did not require a formal forensic investigator or other further investigation. It was not until March 2018 that Bombas finally began notifying impacted individuals.

New York General Business Law (“GBA”) § 899-aa requires that, in the event of such a data breach, the impacted company must notify all consumers “in the most expedient time possible and without unreasonable delay.” The New York AG determined that Bombas violated this provision by waiting over three years before notifying customers.

As a result of its settlement with the State of New York, Bombas agreed to pay $65,000 in penalties for the violation and agreed to implement new data security policies aimed at preventing data breaches in the future, including conducting training for all appropriate officers, managers, and employees with respect to their roles and responsibilities in preventing and investigating any future suspected data breaches, in compliance with the GBA §899-aa. In addition, Bombas agreed to offer two years of free credit monitoring, fraud consultation, and identity theft restoration services to all potentially affected customers.

Troutman Sanders’ Consumer Financial Services litigation practice, the Law360 Consumer Protection Practice Group of the Year for 2018, regularly represents and advises clients in matters of federal and state privacy and data breach law.