On October 31, 2017, the New York and Vermont Attorneys General announced a settlement with Hilton Domestic Operating Company, Inc., to settle allegations that the company lacked reasonable data security and waited too long to report a pair of 2015 data breaches, which exposed over 350,000 credit card numbers.
Continue Reading Hilton Agrees to Settle Data Breach-Related Claims by NY and VT Attorneys General

The PCI Security Standards Council recently published a set of enhanced validation procedures designed to provide greater assurance that certain entities are maintaining compliance with the PCI Data Security Standard effectively and on a continuing basis. In addition, on July 1, 2015, PCI Data Security Standard Version 3.0 is being retired and the controls previously designated by Version 3.0 as best practices will become mandatory.
Continue Reading PCI Security Standards Council Releases Enhanced Validation Requirements for Designated Entities as PCI DSS Version 3.0 Set to Retire

The UK Information Commissioner’s Office found that Lush Cosmetics Ltd. violated the Data Protection Act 1998 by having insufficient measures to protect customer data on its retail website. The ICO required Lush to process customer payment card data in compliance with the Payment Card Industry Data Security Standard but did not impose a monetary penalty on the company.

Continue Reading Lush Avoids ICO Fine After Website Data Breach

On March 28, 2011, Massachusetts Attorney General Martha Coakley announced a settlement with the Briar Group in connection with a 2009 data breach that jeopardized the payment card information of “tens of thousands” of consumers.

Continue Reading Massachusetts Attorney General Reaches $110,000 Data Breach Settlement with Boston Restaurant Group