Using the Maryland Consumer Protection Act, Maryland Attorney General Brian Frosh has announced that eye care retailer Visionworks, Inc. has agreed to pay the state of Maryland $100,000 and enhance its security measures following an investigation into two security incidents that occurred in 2014. When it was upgrading its Annapolis, Maryland and Jacksonville, Florida stores to fully encrypted servers, Visionworks allegedly left the old servers, containing customers’ names, addresses, dates of birth, purchasing history, health insurance information and three days’ worth of encrypted credit card data unsecured as they were “misplaced” by accident. They believe the servers were taken to landfills.
Frosh stated that Visionworks expressly and implicitly represented to consumers that it would protect their personal information, including their health information, which was required by HIPAA and the Maryland Personal Information Protection Act. When it failed to secure the servers and properly dispose of them, the AG alleged that Visionworks “committed unfair and deceptive trade practices” which violated the Maryland Consumer Protection Act.
In addition to the $100,000 penalty, Visionworks has also agreed to provide credit monitoring and identity theft insurance to any consumer who contacts it or the AG’s office. It further agreed to enhance its security practices with respect to storage and disposal of personal information, use encryption technology to safeguard personal information, and “not misrepresent the extent to which it protects personal information.”
Although we are used to seeing cases and settlements over security practices with the FTC for unfair and deceptive practices following a data breach (and the Wyndham case) has certainly paved the way for more FTC enforcement actions and settlements), seeing settlements with state AGs is less common. However, we anticipate seeing more AGs use the same theory to launch investigations and push for settlements using broad state consumer protection powers. The message to businesses is clear: enhance security measures to avoid enforcement actions at both the federal and state level.