On July 30, 2025, a wine producer was sued in connection with a cyberattack that allegedly compromised the data of at least 26,000 customers. Among other things, the complaint alleges that the company failed to implement reasonable security measures and failed to provide timely and sufficient notice of the data breach.
This incident underscores the vulnerability of companies handling sensitive customer information. Alcohol companies – especially those selling direct to consumer – collect and store high-value personal data to verify age, process payments, manage memberships, and ship products across state lines. This case highlights the need for alcohol companies to evaluate and strengthen their cybersecurity and privacy programs today to minimize legal risk and reputational harm tomorrow.
In Depth
On July 30, 2025, Plaintiff Joanne Kaplan filed a class action complaint in California Superior Court in Napa County against Crimson Wine Group, Ltd. (CWG). The complaint alleges that a cyberattack between June 26 and June 30, 2024, compromised the personal data of at least 26,000 CWG customers, including names, addresses, Social Security numbers, driver’s license numbers, financial information, medical information, and dates of birth. CWG sent data breach notices to affected individuals and state regulators (including the Texas and Vermont attorneys general) on or about December 13, 2024.
Key allegations include:
- Inadequate security practices: The complaint alleges CWG failed to properly implement basic data security measures and follow Federal Trade Commission (FTC) guidelines, National Institute of Standards and Technology (NIST) cybersecurity standards, and industry best practices.
- Delayed notification: The complaint alleges CWG waited nearly six months to inform affected customers of the breach. According to CWG’s notice to the Vermont attorney general, CWG became aware of the cybersecurity incident on June 30, 2024, and determined on or around December 9, 2024, that some of the affected information included personal data.
- Data breaches can implicate multiple state laws and federal and state consumer protection standards. The timeframe for providing notice of a personal data breach varies widely across jurisdictions. The clock typically starts when the company discovers that the compromised data includes personal data, not when the incident occurs or even when the company becomes aware of the cyberattack. The question of whether CWG provided timely notification would therefore depend on the facts of when CWG actually discovered that the compromised data included consumers’ personal data.
- Breach of the privacy policy: The complaint alleges that the privacy policy was provided to the plaintiff in a manner in which it became part of the agreement of the services. The complaint further alleges that CWG committed in its privacy policy to protecting the privacy and security of customer data and that this promise was breached by its failure to protect this data.
Steps alcohol and direct-to-consumer companies can take to reduce litigation risk
- Align your security program with industry and regulatory standards. This could include following FTC, NIST, and other guidance on protecting personal data, including encryption at rest and in transit, multifactor authentication, and continuous vulnerability monitoring.
- Tighten data governance. Limit the collection of sensitive personal data to what is necessary for operations and compliance. Regularly purge outdated or unnecessary customer records; holding onto such data increases your potential liability and notification obligations in the event of a data breach.
- Evaluate and strengthen incident response protocols. Maintain a breach response plan with clear timelines for forensic investigation, containment, regulatory notifications, and consumer outreach. Conduct annual tabletop exercises simulating cyberattacks to test readiness. Be prepared to comply with the shortest notification deadline among applicable jurisdictions.
- Perform due diligence on vendor security. Require third-party service providers (e.g., payment processors, logistics partners) to meet rigorous cybersecurity requirements and periodically audit compliance. Ensure appropriate indemnity for breaches at the vendor, where feasible.
- Review your privacy disclosures. Take care to review your privacy policy to ensure that you do not inadvertently allow for a breach of contract claim in the event of a data breach.
- Review your insurance coverage. Evaluate whether your insurance policy covers cyber liability, including litigation defense, regulatory investigations, and notification and remediation costs.
- Conduct cyber assessments under privilege. Ensure that counsel oversee cybersecurity assessments to help preserve privilege over findings. Use privileged assessments to proactively identify and remediate weaknesses before regulators or plaintiffs uncover them.
[View source.]
