Zappos Settles with 9 States, 3 Years Later

By: Arieanna Schweber | 2/4/2015

We recently discussed how quickly the compliance landscape is shifting, with new regulators, new State laws, the EU General Data Protection Legislation and now Obama’s proposed Federal Personal Data Notification & Protection Act. Until such time as Federal legislation is passed, organizations continue to face the challenges of complying with various State laws. Companies who suffer a data breach may face litigation from each individual state where affected consumers reside.

Zappos suffered a data breach in 2012 that affected up to 24 million consumers. It was recently announced that Zappos has now reached data breach settlements with nine States, Arizona, Connecticut, Florida, Kentucky, Maryland, Massachusetts, North Carolina, Ohio and Pennsylvania.

In Zappos’ case, a settlement of $106,000 was reached, to be divided among the 9 Sates involved in the settlement. In many cases, States will act independently, and for much larger settlement amounts.

In addition to the fine, the settlement requires Zappos to improve its security practices including compliance with information security policies and procedures, annual employee training, third party audits and records of compliance with these standards.

While the settlement is not large, Zappos has faced 3 years of litigation costs, lost business due to a loss of consumer trust, and likely an increase in marketing and PR costs to recoup from this damage. A survey by Javelin on behalf of Identity Finder found that 33% of consumers would change retailers after a data breach, showing a loss of consumer faith directly impacts online sales.

Learn how Absolute Software can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.

Financial Services