In Response to How the Company Handled its 2015 Data Breach, NY AG Letitia James Recently Filed a Lawsuit Against Dunkin’ Brands, Inc.
Dunkin’ Donuts is in hot water (not coffee) over its response to a 2015 data breach. New York Attorney General Letitia James recently filed a lawsuit against Dunkin’ Brands, Inc. (Dunkin’), alleging that the coffee-chain franchisor committed fraud by misinforming its customers about the nature of the cyberattack.
“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James argues in a press statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
NY AG Lawsuit Against Dunkin’ Donuts
According to the lawsuit against Dunkin’, customer accounts, created through the Dunkin’ website or free mobile app for Android and iOS devices to manage DD value cards, were targeted in 2015 by a series of “brute force attacks.” The attacks involve repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services. As a result of the brute force attacks, almost 20,000 customer accounts were compromised, and tens of thousands of dollars on customers’ DD cards were stolen.
By May 2015, Dunkin’ personnel were receiving customer reports that their accounts had been hacked. In addition, a third-party app developer for Dunkin’ repeatedly alerted the company to attackers’ ongoing attempts to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised by attackers over just a five-day period.
The Attorney General’s lawsuit alleges that Dunkin’ failed to properly respond to the breach. “Dunkin’ failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen,” the suit alleges. It further maintains that Dunkin’ failed to take steps to protect customers whose accounts had been breached. “Among other failures, Dunkin’ did not notify its customers of the breach, reset their account passwords to prevent further unauthorized access, or freeze the stored value cards registered with their accounts,” the suit states.
In late 2018, a vendor notified Dunkin’ that customer accounts were again compromised, with the attacks leading to the unauthorized access of more than 300,000 Dunkin’ customer accounts, many of which had DD cards associated with them. According to the suit, although Dunkin’ contacted impacted customers, it failed to disclose that customer accounts had been accessed without authorization. Rather, the company stated that a third party had merely “attempted” to log in to the customers’ accounts and that the attempt may not have been successful, according to the suit.
The suit alleges that Dunkin’ violated New York’s data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The state is seeking injunctive relief, full restitution to customers, civil penalties, and other remedies.
Determining When Data Breach Notification Is Required
Dunkin’ Donuts maintains that its investigation failed to conclude that any customer accounts were wrongfully accessed. Accordingly, it determined customer notification was not required.
As the Dunkin’ data breach suit highlights, companies often struggle to determine whether they must inform customers of a data breach. The current regulatory landscape does not make the process any easier. While regulators such as the Securities and Exchange Commission and the Department of Health and Human Services have issued guidance for businesses under their purview, there is no federal law governing data breaches. To fill the void, states like New York and California have enacted their own regulations.
The state-level regulations are not consistent and continue to evolve. In New York, Gov. Andrew Cuomo signed the SHIELD Act into law this summer, which amends the state’s data breach notification requirements.
To meet the challenges of complex and ever-evolving data breach notification requirements, we encourage businesses to stay on top of legal developments and regularly consult with experienced counsel regarding your data security policies and procedures.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, David Einhorn, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Portability of estate and gift tax enables a surviving spouse to inherit any unused portion of their deceased spouse’s federal estate and gift tax exemption. So, if one spouse doesn’t utilize their full exemption, the surviving spouse can effectively double their exemption amount with regard to estate tax liability. For married couples, portability offers a […]
Pet Trusts in New Jersey and New York: A Practical Estate Planning Tool
For many of us, pets are more than companions—they are members of the family. Yet they are often overlooked or inadequately provided for when it comes to estate planning. A pet trust offers a legally enforceable way to ensure that your animal continues to receive proper care if you become incapacitated or pass away. As […]
For many New Jersey business owners, a closely held company represents decades of work, financial investment, and personal sacrifice. Trusts in business succession planning are one of the most effective tools for protecting that value, allowing founders to control how and when the business passes to the next generation while reducing the risk of disputes, […]
Read Before You Sign: IT Contract Pitfalls Every NJ Business Should Know
In today’s digital economy, New Jersey businesses of all sizes rely heavily on technology vendors, software providers, cloud platforms, and managed IT services. Whether your company is purchasing software, migrating data to the cloud, engaging a cybersecurity consultant, or entering into a long-term managed services agreement, a careful IT contract review can have significant operational, […]
Non-disclosure agreements (NDAs) remain a critical tool for protecting sensitive business information. However, New York NDA requirements have evolved, and businesses must ensure these agreements are carefully drafted to remain enforceable. In a competitive market like New York City, NDAs are commonly used to protect proprietary information, client relationships, and strategic plans. At the same […]
How Courts Evaluate Testamentary Capacity and Undue Influence Will contests in New Jersey are difficult to win, given the strong presumption that a properly executed will reflects the testator’s intent. However, challenges based on lack of testamentary capacity and undue influence remain common, particularly where there are concerns about mental capacity or the involvement of […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
