Zappos Ordered to Pay Fine in Wake of Breach

The office of Massachusetts Attorney General Martha Coakley’s Consumer Protection Division has recently announced the details of a $106K multi-state settlement reached with online retailer Zappos, which in 2012 was the target of a widely publicized attack that exposed the personal information of over 24 million users. The Attorney General’s office’s investigation found potential violations of the state’s data protection laws after data including consumer’s email addresses, names, and shipping addresses were stolen; though no evidence was found that financial information was stolen.

While data security should always be of the utmost importance to an organization, this settlement is yet another clear reminder of the consequences for failing to protect the information of your customers.


Settlement Requirements

Aside from the fine, which must be paid in 30 days, the settlement also requires Zappos to:


  • Provide annual security training to employees
  • Maintain and adhere to information security policies
  • Provide Attorney General with customer information security policy
  • Demonstrate compliance with the Payment Card Industry Data Security Standard
  • Obtain a third-party security audit and provide report of findings to Attorney General


Having a strong security policy, properly training employees, and seeking out third-party security audits should be common operating procedure for any retailer; if there is anything surprising about this settlement it’s that these steps were not already being adhered to internally at Zappos.


Growing Trend

Litigation is increasingly the end result for corporate data breaches, and this isn’t the first investigation that Coakley’s Consumer Protection Division has had a hand in. They’ve been involved in a number of high profile cases, including the data breaches at Target and TD Bank.

In a press release, Coakley stated: “Our office will continue to hold retailers accountable for failing to follow their own policies regarding consumer data that they maintain, and make sure that all companies have reasonable data security measures in place.”

With groups like Coakley’s Consumer Protection Division aggressively prosecuting businesses (online and off) that fail to properly secure their customer’s information, it’s likely we’ll only be seeing more cases like this in the future. While it would be better for all involved if these attacks never occur, the biggest mistake would be to not learn from them; with luck, the public relations fallout from these attacks will help ensure other retailers take steps to more vigorously protect their customers.