New York State Attorney General Eric T. Schneiderman announced a settlement with Acer Service Corporation (a Taiwanese computer manufacturer) relating to the NYSAG’s investigation of a breach of Acer’s data. The data breach, first reported in June, 2016, involved data for over 35,000 customers throughout the United States, Canada and Puerto Rico, including 2,250 customers who resided in New York.

The accessed data included credit card data, and more specifically, names, addresses, email addresses, card numbers, expiration dates, security codes and user names and passwords – critical information for the customers involved. The data that was accessed covered transactions over an almost 12 month period, from May 12, 2015 through April 28, 2016.

Reports indicated that the information was accessed because Acer had inadvertently stored it in an unsecured format, when debugging mode was enabled on the e-commerce platform. According to the NYSAG investigation, Acer had misconfigured its website allowing directory browsing for unauthorized users.  At least one hacker took advantage of these vulnerabilities, by obtaining information through hundreds of electronic requests for customer data.

As a result of Acer’s failure to protect sensitive customer information for almost a one year period, the NYSAG fined Acer $115,000 and required Acer to implement enhanced data security practices. These enhanced data security practices include:

  • The designation of specific employees to coordinate and supervise Acer’s privacy and security program;
  • A designated individual to be notified if personal information is saved or stored in an unencrypted manner on Acer’s systems;
  • Employee training on data security, consumer privacy and obligations to maintain the integrity of consumer information, on an annual basis for all employees who handle personal information;
  • Staff training on data breach notification requirements for staff who will input, maintain, store or transfer personal information;
  • The identification of significant risks to the confidentiality and security of personal information that reasonably could lead to the unauthorized access, misuse, alteration or other compromise of the information – including newly identified security vulnerabilities – on a regular basis.
  • The implementation of safeguards to control risks, such as multi-factor authentication for remote access, an intrusion detection system, quarterly vulnerability assessments and annual penetration testing, together with testing of systems, controls and safeguards on a regular basis.
  • Ensuring that service providers agree to implement/maintain appropriate safeguards and have the capability to do so.

The Acer data breach was considered to be relatively small in scope – but as the NYSAG settlement indicates, even a data breach on this scale can carry heavy burdens for the entity suffering the breach. Thus, in addition to reminding businesses about some best practices to consider implementing to safeguard personal information, the NYSAG’s investigation makes clear that not only large breaches will come under the office’s scrutiny.