[co-author: Stephanie Kozol*, Nick Gouverneur]
New York Attorney General (AG) Letitia James and global movie theater operator National Amusements, Inc. (National) settled a lawsuit stemming from a 2022 data breach reported by National, which affected 82,128 National employees. As part of its settlement, National agreed to pay $250,000 in penalties to the state and to “improve existing cybersecurity infrastructure to prevent future data breaches.”
In its investigation, the Office of the Attorney General (OAG) determined that National “failed to implement strong data security, which left it vulnerable to a data breach” and “delayed telling affected employees of the breach for more than a year.” The information exposed by the breach included individuals’ names, dates of birth, social security numbers, passport numbers, financial account numbers, driver’s license numbers, and health insurance account numbers.
In addition to the regulatory investigation, class action lawsuits have been initiated against National in the Eastern District of Massachusetts. Plaintiffs have filed claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and invasion of privacy. Any dispositive rulings in the action are still pending.
Takeaways
The National settlement highlights the importance of an effective and thoughtful incident response strategy. The objective of an incident response should be to not only resolve the underlying cause of the security incident from a technical perspective, but to craft a narrative that demonstrates a company’s commitment to conducting a timely and reasonable investigation into the incident. This narrative is often shaped in the early stages of a response, starting with how quickly a company was able to react and what information was shared, if any, and with whom.
This can be challenging, as investigations, especially of National’s magnitude, can take time to complete. Organizations must balance the need, or desire, to share information quickly with concerns regarding the accuracy and completeness of information shared. Therefore, in the early stages of a response, it can be beneficial to establish communication channels with relevant parties, such as impacted groups and/or regulators, to demonstrate the company’s commitment to transparency and cooperation. This proactive approach can help shape a positive narrative about the organization’s response and may dispel false narratives or speculation often fueled by the unknown.
While there is no one-size-fits-all approach to incident response, a consumer-friendly strategy will certainly resonate well with both individual consumers and regulators.
*Senior Government Relations Manager
