In Response to How the Company Handled its 2015 Data Breach, NY AG Letitia James Recently Filed a Lawsuit Against Dunkin’ Brands, Inc.
Dunkin’ Donuts is in hot water (not coffee) over its response to a 2015 data breach. New York Attorney General Letitia James recently filed a lawsuit against Dunkin’ Brands, Inc. (Dunkin’), alleging that the coffee-chain franchisor committed fraud by misinforming its customers about the nature of the cyberattack.
“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James argues in a press statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
NY AG Lawsuit Against Dunkin’ Donuts
According to the lawsuit against Dunkin’, customer accounts, created through the Dunkin’ website or free mobile app for Android and iOS devices to manage DD value cards, were targeted in 2015 by a series of “brute force attacks.” The attacks involve repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services. As a result of the brute force attacks, almost 20,000 customer accounts were compromised, and tens of thousands of dollars on customers’ DD cards were stolen.
By May 2015, Dunkin’ personnel were receiving customer reports that their accounts had been hacked. In addition, a third-party app developer for Dunkin’ repeatedly alerted the company to attackers’ ongoing attempts to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised by attackers over just a five-day period.
The Attorney General’s lawsuit alleges that Dunkin’ failed to properly respond to the breach. “Dunkin’ failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen,” the suit alleges. It further maintains that Dunkin’ failed to take steps to protect customers whose accounts had been breached. “Among other failures, Dunkin’ did not notify its customers of the breach, reset their account passwords to prevent further unauthorized access, or freeze the stored value cards registered with their accounts,” the suit states.
In late 2018, a vendor notified Dunkin’ that customer accounts were again compromised, with the attacks leading to the unauthorized access of more than 300,000 Dunkin’ customer accounts, many of which had DD cards associated with them. According to the suit, although Dunkin’ contacted impacted customers, it failed to disclose that customer accounts had been accessed without authorization. Rather, the company stated that a third party had merely “attempted” to log in to the customers’ accounts and that the attempt may not have been successful, according to the suit.
The suit alleges that Dunkin’ violated New York’s data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The state is seeking injunctive relief, full restitution to customers, civil penalties, and other remedies.
Determining When Data Breach Notification Is Required
Dunkin’ Donuts maintains that its investigation failed to conclude that any customer accounts were wrongfully accessed. Accordingly, it determined customer notification was not required.
As the Dunkin’ data breach suit highlights, companies often struggle to determine whether they must inform customers of a data breach. The current regulatory landscape does not make the process any easier. While regulators such as the Securities and Exchange Commission and the Department of Health and Human Services have issued guidance for businesses under their purview, there is no federal law governing data breaches. To fill the void, states like New York and California have enacted their own regulations.
The state-level regulations are not consistent and continue to evolve. In New York, Gov. Andrew Cuomo signed the SHIELD Act into law this summer, which amends the state’s data breach notification requirements.
To meet the challenges of complex and ever-evolving data breach notification requirements, we encourage businesses to stay on top of legal developments and regularly consult with experienced counsel regarding your data security policies and procedures.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, David Einhorn, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Dunkin’ Donuts Facing NY AG Suit Over Data Breach Response
Author: Scarinci Hollenbeck, LLC
In Response to How the Company Handled its 2015 Data Breach, NY AG Letitia James Recently Filed a Lawsuit Against Dunkin’ Brands, Inc.
Dunkin’ Donuts is in hot water (not coffee) over its response to a 2015 data breach. New York Attorney General Letitia James recently filed a lawsuit against Dunkin’ Brands, Inc. (Dunkin’), alleging that the coffee-chain franchisor committed fraud by misinforming its customers about the nature of the cyberattack.
“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James argues in a press statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
NY AG Lawsuit Against Dunkin’ Donuts
According to the lawsuit against Dunkin’, customer accounts, created through the Dunkin’ website or free mobile app for Android and iOS devices to manage DD value cards, were targeted in 2015 by a series of “brute force attacks.” The attacks involve repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services. As a result of the brute force attacks, almost 20,000 customer accounts were compromised, and tens of thousands of dollars on customers’ DD cards were stolen.
By May 2015, Dunkin’ personnel were receiving customer reports that their accounts had been hacked. In addition, a third-party app developer for Dunkin’ repeatedly alerted the company to attackers’ ongoing attempts to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised by attackers over just a five-day period.
The Attorney General’s lawsuit alleges that Dunkin’ failed to properly respond to the breach. “Dunkin’ failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen,” the suit alleges. It further maintains that Dunkin’ failed to take steps to protect customers whose accounts had been breached. “Among other failures, Dunkin’ did not notify its customers of the breach, reset their account passwords to prevent further unauthorized access, or freeze the stored value cards registered with their accounts,” the suit states.
In late 2018, a vendor notified Dunkin’ that customer accounts were again compromised, with the attacks leading to the unauthorized access of more than 300,000 Dunkin’ customer accounts, many of which had DD cards associated with them. According to the suit, although Dunkin’ contacted impacted customers, it failed to disclose that customer accounts had been accessed without authorization. Rather, the company stated that a third party had merely “attempted” to log in to the customers’ accounts and that the attempt may not have been successful, according to the suit.
The suit alleges that Dunkin’ violated New York’s data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The state is seeking injunctive relief, full restitution to customers, civil penalties, and other remedies.
Determining When Data Breach Notification Is Required
Dunkin’ Donuts maintains that its investigation failed to conclude that any customer accounts were wrongfully accessed. Accordingly, it determined customer notification was not required.
As the Dunkin’ data breach suit highlights, companies often struggle to determine whether they must inform customers of a data breach. The current regulatory landscape does not make the process any easier. While regulators such as the Securities and Exchange Commission and the Department of Health and Human Services have issued guidance for businesses under their purview, there is no federal law governing data breaches. To fill the void, states like New York and California have enacted their own regulations.
The state-level regulations are not consistent and continue to evolve. In New York, Gov. Andrew Cuomo signed the SHIELD Act into law this summer, which amends the state’s data breach notification requirements.
To meet the challenges of complex and ever-evolving data breach notification requirements, we encourage businesses to stay on top of legal developments and regularly consult with experienced counsel regarding your data security policies and procedures.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, David Einhorn, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
