The agreement, made with Arizona, Connecticut, Florida, Kentucky, Maryland, Massachusetts, North Carolina, Ohio and Pennsylvania, will see the company take steps to improve customer data safety in the future.
Zappos will also hand over a total of $106,000 within the next 30 days – which will go to the various states in respect of the investigation’s costs.
The inquiry focused on the measures implemented by Zappos to protect customer information following the theft of names, password hashes, email addresses, phone numbers and the last four digits of their payment cards after a company server in Kentucky was breached.
The attorneys general had previously asked the company for more information following the breach:
This incident raises serious concerns about the possibility of fraud and targeted email 'phishing' or other scams, as well as questions about the effectiveness of the company’s measures to protect the confidentiality and security of private information that it receives from consumers.
Fortunately it seems that no evidence was discovered to suggest that full payment card details were ever compromised.
Even so, the $106,000 fine may seem rather small, given the scale of the breach and the number of customers affected.
Of course, as privacy and security attorney Scot Ganow commented, the overall costs to the business are likely to be much higher in terms of reputation damage and the resulting loss of business.
He highlighted how reputation management, legal action and the introduction of compliance requirements and external audits all come with a cost.
The PR and business fallout can often cost you more than the enforcement action or settlement.
Commenting via a press release issued after the settlement was agreed, North Carolina Attorney General Roy Cooper said:
When you entrust your personal information to a business, you expect that business to keep it safe. Businesses must take the threat of a security breach seriously, and they must do more to protect consumers' data.
The full terms of the settlement reached between Zappos and the nine states mandate that the company must:
- Maintain and comply with its information security policies and procedures;
- Provide the attorneys general with its current security policy;
- Provide the attorneys general copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard (PCI DSS) for two years;
- Have a third party conduct an audit of its security of personal information; and
- Provide relevant training to employees.