In Response to How the Company Handled its 2015 Data Breach, NY AG Letitia James Recently Filed a Lawsuit Against Dunkin’ Brands, Inc.
Dunkin’ Donuts is in hot water (not coffee) over its response to a 2015 data breach. New York Attorney General Letitia James recently filed a lawsuit against Dunkin’ Brands, Inc. (Dunkin’), alleging that the coffee-chain franchisor committed fraud by misinforming its customers about the nature of the cyberattack.
“Dunkin’ failed to protect the security of its customers,” Attorney General Letitia James argues in a press statement. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk. My office is committed to protecting consumer data and holding businesses accountable for implementing safe security practices.”
NY AG Lawsuit Against Dunkin’ Donuts
According to the lawsuit against Dunkin’, customer accounts, created through the Dunkin’ website or free mobile app for Android and iOS devices to manage DD value cards, were targeted in 2015 by a series of “brute force attacks.” The attacks involve repeated, automated attempts to gain access to accounts, often using usernames and passwords stolen through security breaches of other unrelated websites or online services. As a result of the brute force attacks, almost 20,000 customer accounts were compromised, and tens of thousands of dollars on customers’ DD cards were stolen.
By May 2015, Dunkin’ personnel were receiving customer reports that their accounts had been hacked. In addition, a third-party app developer for Dunkin’ repeatedly alerted the company to attackers’ ongoing attempts to log in to customer accounts, and even provided Dunkin’ with a list of 19,715 accounts that had been compromised by attackers over just a five-day period.
The Attorney General’s lawsuit alleges that Dunkin’ failed to properly respond to the breach. “Dunkin’ failed to conduct an appropriate investigation into, and analysis of, the attacks to determine which customer accounts had been compromised, what customer information had been acquired, and whether customer funds had been stolen,” the suit alleges. It further maintains that Dunkin’ failed to take steps to protect customers whose accounts had been breached. “Among other failures, Dunkin’ did not notify its customers of the breach, reset their account passwords to prevent further unauthorized access, or freeze the stored value cards registered with their accounts,” the suit states.
In late 2018, a vendor notified Dunkin’ that customer accounts were again compromised, with the attacks leading to the unauthorized access of more than 300,000 Dunkin’ customer accounts, many of which had DD cards associated with them. According to the suit, although Dunkin’ contacted impacted customers, it failed to disclose that customer accounts had been accessed without authorization. Rather, the company stated that a third party had merely “attempted” to log in to the customers’ accounts and that the attempt may not have been successful, according to the suit.
The suit alleges that Dunkin’ violated New York’s data breach notification statute, General Business Law § 899-aa, by failing to notify consumers and New York State authorities of the 2015 data breach, and failing to accurately notify consumers of the 2018 data breach. The lawsuit also alleges that Dunkin’ violated New York’s consumer protection laws, including Executive Law § 63(12), and General Business Law §§ 349 and 350, by misrepresenting to consumers that it provided reasonable safeguards to protect customers’ personal information when they first signed up for an account. The state is seeking injunctive relief, full restitution to customers, civil penalties, and other remedies.
Determining When Data Breach Notification Is Required
Dunkin’ Donuts maintains that its investigation failed to conclude that any customer accounts were wrongfully accessed. Accordingly, it determined customer notification was not required.
As the Dunkin’ data breach suit highlights, companies often struggle to determine whether they must inform customers of a data breach. The current regulatory landscape does not make the process any easier. While regulators such as the Securities and Exchange Commission and the Department of Health and Human Services have issued guidance for businesses under their purview, there is no federal law governing data breaches. To fill the void, states like New York and California have enacted their own regulations.
The state-level regulations are not consistent and continue to evolve. In New York, Gov. Andrew Cuomo signed the SHIELD Act into law this summer, which amends the state’s data breach notification requirements.
To meet the challenges of complex and ever-evolving data breach notification requirements, we encourage businesses to stay on top of legal developments and regularly consult with experienced counsel regarding your data security policies and procedures.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, David Einhorn, or the Scarinci Hollenbeck attorney with whom you work, at 201-806-3364.
Common Legal Mistakes NYC and New Jersey Business Owners Make
Operating a business in the New Jersey and New York City metropolitan region offers incredible opportunities, but it also requires navigating a dense and highly regulated legal environment. From entity formation to regulatory compliance, seemingly minor legal oversights can expose business owners to significant risk. In our work with businesses throughout the region, our attorneys […]
High-profile founder litigation is more than just a media spectacle. For startup founders, these cases underscore the legal and structural risks that can arise when rapid growth outpaces formal oversight. While launching a new company can be both an exciting and deeply rewarding endeavor, founders must be mindful that it also comes with significant risks. […]
Corporate Governance Reviews: A Practical Guide for New Jersey Companies
Every New Jersey company should periodically evaluate its governance framework. Strong corporate governance protects directors and officers, builds investor confidence, reduces litigation exposure, and positions a company for sustainable growth. The first quarter of the year is a great time to evaluate your corporate governance practices and perform any routine maintenance needed to keep that […]
What to Do After Being Served with a Lawsuit: Steps to Protect Your Legal Rights
Being served with a lawsuit is one of the most stressful legal events a business or individual can face. Whether the claim involves a contract dispute, an employment matter, an intellectual property issue, or another legal challenge, the actions you take in the first few days can significantly shape the outcome of your case. Acting […]
Will 2026 Be a Banner Year for SPACs? Understanding the Risks and Opportunities
Special Purpose Acquisition Companies (SPACs) continue to gain momentum as we move through 2026. After enduring a significant contraction following the 2021 boom and the regulatory scrutiny that followed, SPAC activity rebounded sharply in 2025 and now carries forward into 2026 with real momentum. The SPAC resurgence reflects broader improvements in both market conditions and the […]
Why Compliance Monitoring Matters for NY and NJ Businesses
Compliance programs are no longer judged by how they look on paper, but by how they function in the real world. Compliance monitoring is the ongoing process of reviewing, testing, and evaluating whether policies, procedures, and controls are being followed—and whether they are actually working. What Is Compliance Monitoring? In today’s heightened regulatory environment, compliance […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
