There’s a startling contrast between the European regulator-led and U.S. lawyer-led approaches to enforcing cybersecurity standards. This case in the U.S. is a timely reminder to keep everything up to date, protect your clients’ data through minimisation and encryption, and give timely notification when things go wrong…:
A putative consumer class action filed in California state court on Friday the 18th against Petco Animal Supplies Stores Inc. (Petco) and its wholly owned subsidiary PupBox Inc. (PupBox) alleges that between February and August an “unauthorized plugin” on the PupBox website caused the personal and credit card information of approximately 30,000 consumers to be stolen by an unauthorized third party. The complaint asserts, on information and belief, that the cyberattack resulted from the defendants’ failure to encrypt payment card data (PCD) at the point of sale and/or that the defendants “failed to install updates, patches, and malware protection or to install them in a timely manner to protect against a data security breach; and/or failed to provide sufficient control employee credentials and access to computer systems to prevent a security breach and/or theft of PCD.” The complaint further alleges that although Petco first learned of the cyberattack in early August, PupBox customers were not notified of the breach until October, creating a two-month lag during which class members could have attempted to mitigate the damage caused by the breach. The lawsuit alleges violations of the Washington State Consumer Protection Act, the California Unfair Competition Law, the California Consumer Records Act, and common law claims for negligence, negligence per se, breach of implied contract, and unjust enrichment.