AG Coakley Reaches Settlement with Zappos Over Data Breach
Online Retailer to Pay $106,000, Strengthen Security Policies under Multistate Settlement
BOSTON – Nevada-based online retailer Zappos.com, Inc. has agreed to pay a total of $106,000 and take actions to better protect consumers’ information following a 2012 data breach that placed consumers' personal data at risk, Attorney General Martha Coakley announced today.
The assurance of discontinuance, filed today in Suffolk Superior Court, was joined by attorneys general in eight other states, including Arizona, Connecticut, Florida, Kentucky, Maryland, North Carolina, Ohio, and Pennsylvania.
“Businesses, including online retailers, must appropriately protect their customers' information by guarding against data breaches,” AG Coakley said. “Our office will continue to hold retailers accountable for failing to follow their own policies regarding consumer data that they maintain, and make sure that all companies have reasonable data security measures in place.”
An investigation following the unauthorized access of one of Zappos’s computer servers in January 2012 revealed that the server contained customer names, billing and shipping addresses, telephone numbers, the last four digits of credit card numbers, and login credentials of customers. There was no evidence that full credit or debit card numbers or other payment data was impacted by the breach. More than 740,000 Massachusetts residents were affected.
Under the terms of the settlement, Massachusetts will receive more than $11,000. Zappos is also required to:
- Maintain and comply with its information security policies and procedures;
- Provide the attorneys general with its current security policy regarding customer information;
- Provide the attorneys general copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard for two years;
- Have a third party conduct an audit of its security of personal information, provide the audit report to the attorneys general, and address any identified deficiencies; and
- Provide annual training to employees regarding its security policies.
AG Coakley has led multiple investigations into potential violations of the state’s data protection laws. In December 2014, TD Bank agreed to pay $625,000 and strengthen its security practices after losing unencrypted back-up tapes containing personal information for more than 90,000 Massachusetts customers.
In January 2014, following Target Corporation’s announcement that the email information for approximately 70 million people could be affected by a data breach, AG Coakley joined the executive committee of a multi-state group to investigate the data breach.
In July 2009, AG Coakley led a $9.75 million multi-state settlement between TJX Companies and 41 states, resolving allegations stemming from a January 2007 data breach. Massachusetts received more than $950,000 to ensure personal data protection of Massachusetts residents.
For additional information, consumers may contact the Attorney General's consumer hotline at (617) 727-8400, or view the Federal Trade Commission's identity theft resource, available at www.consumer.gov/idtheft/.
This matter was handled for Massachusetts by Assistant Attorney General Sara Cable of AG Coakley’s Consumer Protection Division.