Norton Rose Fulbright - Data Protection Report blog

On September 15, 2020, the New York Attorney General (NYAG) announced a proposed settlement with Dunkin’ Brands, relating to brute force and credential stuffing attacks against members’ online accounts (including stored value cards). Dunkin’ does not admit or deny any of the NYAG’s allegations in the complaint. (New York v. Dunkin’ Brands, No. 451787/2019 (N.Y. Sup. Sept. 5, 2020).

2019 Complaint

According to the NYAG’s 2019 complaint, Dunkin’ had been the subject of hacker attacks attempting to breach its members’ online accounts and steal money from the stored value cards that members registered to those accounts. The complaint claimed that the company’s application developer in 2015 provided the company with a list of over 19,000 customer accounts that had been accessed over a five-day period. The complaint alleged that the company failed to investigate the 2015 attacks, including whether funds had been stolen. The complaint also claimed that the company failed to notify affected consumers, and did not reset passwords of the accounts that had been compromised. The NYAG also claimed that the company did not take any measures against future “brute force” attacks. (A “brute force” attack occurs when an attacker simply tries multiple user IDs and passwords (including vendor defaults) to see if any combination will work.)

In late 2018, the complaint further alleged, a vendor notified the company that more than 300,000 member accounts had been accessed. The complaint claimed that the company “falsely conveyed” that an attacker had “attempted” to access accounts, but failed because the vendor had blocked those attempts.

The NYAG alleged that the false statements violated New York’s consumer protection law, and that the company had also violated New York’s breach notification law.

The Proposed Settlement

Almost one year later, the NYAG proposed settling the matter. As part of the proposed consent, the draft definitions defined the 2018 attack as beginning on October 1 2018 and ending on January 31, 2019. The draft consent also included a new group of affected consumers: New York customers whose accounts had been accessed without authorization between January 1, 2020 and April 30, 2020.

The proposed consent would require the company to pay $650,000 in penalties and costs, and would require the company to create and implement a comprehensive written information security plan. The proposed consent specifies that the security program must include “reasonable measures” to protect customer accounts against brute force and “credential stuffing” attacks. (A “credential stuffing” attack occurs when the attacker obtains a set of user IDs and passwords from one—or several—breaches of other sites, and then uses those credentials on different sites, hoping that users simply reused those credentials.)

The proposed consent also would require the company to conduct a “reasonable investigation” if it has a reasonable suspicion that there has been a data security incident. That investigation must include whether (a) the incident is ongoing; (b) the incident’s cause and scope; (c) identification of which accounts were affected; and (d) the categories of personal information that may have been accessed or acquired. (Readers may recall that New York changed its security breach notification law in 2019 from requiring notices for “acquisition” of personal information to notification for either “access or acquisition.”) Under the proposed consent, the company would need to document the investigation and retain that documentation for five years.

The company would also have obligations under the proposed consent if it had a reasonable belief that personal information was accessed without authorization, but those obligations would vary depending upon whether a consumer’s stored value card was affected. In either case, the company would need to reset the customer’s account password and promptly respond to customer requests, including refunds for unauthorized purchases. The difference would be in the third step. If a store value card was not affected, the company would need to notify each affected customer If a stored value card was affected, then the company would be required to transfer the stored value card balance to a new stored value card number.

The proposed consent would require the company to change all affected members’ account passwords within 30 days after the effective date of the consent. It would also require the company to send notices to affected consumers, based upon the model communications attached to the consent.

For 90 days after the notification date, eligible recipients could request their historical account information for their stored value cards (including all transaction data) that is not otherwise available in their account, for the period January 1, 2015 through the effective date of the consent. The company would be required to provide that information within three business days. (Readers may recall that CCPA provides companies with a 45-day period to respond to (much broader) access requests.)

The proposed consent is subject to state court approval.

Our Take

  1. Even though the database of stored value card information appears to be fairly limited, we are concerned that the three-business-day response requirement could become a standard in consent agreements. That time period is very short for companies to provide comprehensive information.
  2. Companies may wish to consider requiring periodic password changes on member accounts, as a security tool. Having users verify their account information and change their passwords helps keep the personal information has up-to-date and can help protect the security of the account. Of course, use of multifactor authentication would provide better security.