On Tuesday, September 15, New York Attorney General Letitia James announced a settlement with Dunkin’ Brands Inc. regarding a lawsuit in New York state court titled The People of The State of New York et al. v. Dunkin’ Brands Inc., case number 451787/2019. The case was filed in September 2019 by the New York AG’s office, accusing Dunkin’ of failing to take adequate measures to protect customer data from two data breach incidents in 2015 and 2018.

The AG alleged that starting in early 2015, Dunkin’ customers’ online accounts were targeted by hackers who repeatedly attempted to gain access using usernames and passwords stolen through security breaches of unrelated websites and services. According to the AG, Dunkin’ failed to conduct an adequate investigation into the breaches, despite allegedly being put on notice by a third-party developer. The AG also faulted Dunkin’ for allegedly not properly notifying customers of the breaches, and allegedly not freezing affected accounts or changing the passwords on them to prevent further damage. The AG sued Dunkin’ for violating New York’s data breach notification statute, General Business Law § 899-aa, and various NY state consumer protection laws.

The settlement agreement, which still must be approved by Justice Barry R. Ostrager, includes the following requirements of Dunkin’:

  • notify customers impacted by the breaches;
  • reset the passwords for impacted customers;
  • reimburse customers for any fraudulent activity that resulted from the breaches;
  • maintain safeguards to protect against similar incidents in the future;
  • follow incident response procedures when an incident occurs; and
  • pay $650,000 in penalties and costs to the State of New York.

Dunkin’ stressed in a statement regarding the settlement that the breaches never resulted in the hackers gaining access to credit card information. Dunkin’ also noted that it voluntarily implemented the security measures identified in the settlement “long before” the attorney general filed suit.

As businesses and consumers continue to shift toward more online activities, businesses should focus more than ever on maintaining adequate cybersecurity safeguards and incident response procedures. For more information regarding cybersecurity best practices, see Troutman Pepper articles here and here.