Press Release  Online Sock Retailer Resolves Claims of Violating Data Security Laws

Boston — An online retailer of socks will pay $85,000 to resolve allegations that it violated consumer protection and data security laws by failing to protect the personal information of 1,361 Massachusetts residents online, Attorney General Maura Healey announced today.

In the assurance of discontinuance, filed today in Suffolk Superior Court, Bombas LLC has agreed to comply with state laws and implement policies to improve the security of its systems and protect its customers’ sensitive data.

“Businesses must comply with our laws by implementing proper security systems to protect consumers from exposure online,” said AG Healey. “Through our settlement, Bombas will take important steps to safeguard the personal information of its customers going forward.”

The AG’s Office began an investigation after receiving a notification from Bombas in May 2018 that its website was breached and the sensitive personal information of more than 1,000 Massachusetts consumers was compromised between September 2014 and early 2015. The breach, which occurred when unauthorized parties installed malicious code into Bombas’s online shopping cart feature, compromised names, addresses, and credit card numbers of thousands of Bombas’ customers.

The AG’s Office alleges Bombas failed to comply with Massachusetts data security regulations because it did not have a written information security program (WISP) that included reasonable safeguards over consumers’ credit card information that the company maintained and stored.

The settlement requires Bombas to come into compliance with the law, implement and maintain a WISP, and undertake annual third-party audits of compliance with legally-required data security practices.

The AG’s Office enforces the Massachusetts Data Security Regulations, which require businesses and organizations to develop, implement, and maintain a written information security program and protect the personal information of Massachusetts consumers.

If you believe that you have been the victim of a data breach, you will need to take additional steps to protect your credit and your personal information. For additional information, consumers may contact the Attorney General’s consumer hotline at (617) 727-8400. Guidance for businesses on data breaches can be found here.

This matter was handled by Assistant Attorney General Jared Rinehimer and Director of Data Privacy and Security Sara Cable, both of the AG’s Consumer Protection Division.

###