Zappos Reaches Data Breach Settlement with Nine States

Massachusetts Attorney General Martha Coakley recently announced that has agreed to pay a $106,000 fine and to improve its protection of customer information following a data breach in 2012.

The breach, which took place when hackers accessed part of Zappos’ internal network after breaching one of the company’s servers in Kentucky, exposed up to 24 million customers’ names, email addresses, mailing addresses, phone numbers and encrypted passwords.

The $106,000 fine will be divided equally between nine states: Arizona, Connecticut, Florida, Kentucky, Maryland, Massachusetts, North Carolina, Ohio and Pennsylvania.

“Businesses, including online retailers, must appropriately protect their customers’ information by guarding against data breaches,” Coakley said in a statement. “Our office will continue to hold retailers accountable for failing to follow their own policies regarding consumer data that they maintain, and make sure that all companies have reasonable data security measures in place.”

In addition to paying the fine, Zappos will be required to do the following:

  • maintain and comply with its information security policies and procedures
  • provide annual training to employees regarding its security policies
  • provide the nine states’ attorneys general with its current security policy regarding customer information
  • provide the attorneys general with copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard for two years
  • have a third party conduct an audit of its security of personal information, provide the audit report to the attorneys general, and address any identified deficiencies.

“When you entrust your personal information to a business, you expect that business to keep it safe,” North Carolina Attorney General Roy Cooper said in a statement. “Businesses must take the threat of a security breach seriously, and they must do more to protect consumers’ data.”

For Zappos, the impact of the data breach could well reach far beyond the $106,000 fine. According to the 2014 KPMG Holiday Shopping Survey, 38 percent of approximately 1,400 U.S. consumers surveyed in November 2014 said a security breach has a negative impact on how they perceive a company (h/t IT Governance).

Twenty-seven percent of respondents said they’ll only make a purchase at a retailer that’s been hit by a cyber attack if they can’t find the product they need anywhere else.

Similarly, an April 2014 Identity Finder survey of 5,634 U.S. adults found that 33 percent of consumers said they would shop elsewhere if their retailer of choice was breached.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles