Buttoning Up Cybersecurity to Avoid Fashion Retailer's Fate

The New York Attorney General’s Office fined Zoetop $1.9 million for its failure to protect consumer data and properly disclose the scope of a 2018 data breach. How could a fine like this be avoided?

Carrie Pallardy, Contributing Reporter

October 21, 2022

4 Min Read
Fashion retail store with mannequins displaying mens and womens clothing merchandise
Paul Hill via Alamy Stock

Oct. 12, the New York Attorney General’s Office announced that it fined Zoetop, the parent company of fast-fashion ecommerce brands Shein and Romwe, $1.9 million for its mishandling of a 2018 data breach. The data breach involved the theft of 39 million Shein accounts and 7 million Romwe accounts. The New York AG determined the company failed to properly protect consumer data and failed to adequately disclose the extent of the breach to consumers.

The retail sector is a frequent target of cyberattacks. Credentials are the most common type of compromised data in this sector, according to Verizon’s 2022 Data Breach Investigations Report. The attackers beyond the 2018 Zoetop breach stole millions of credentials. The company misrepresented the number of consumers affected by the breach and only notified a small portion of the affected customers.

The New York AG pointed to Zoetop’s failure in multiple areas, including password management, protection of customer information, monitoring, and incident response.

“Shein and Romwe must button up their cybersecurity measures to protect consumers from fraud and identity theft. This agreement should send a clear warning to companies that they must strengthen their digital security measures and be transparent with consumers, anything less will not be tolerated,” Attorney General Letitia James, said in her office’s statement.

Entities that have access to sensitive customer data are bound by privacy and breach notification laws in all 50 US states. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed into law in March, requires “covered entities to report covered cyber incidents and ransomware payments to CISA.” Additionally, any companies that store personal information of EU residents are subject to General Data Protection Regulation (GDPR) compliance. How are fines, like the one Zoetop must pay to New York State, assessed?

“Each major privacy law has a slightly different methodology for determining fines, but the underlying common themes are that more ‘serious’ infringements affect the enforcement and the size of fines,” Kim Rivera, chief legal and business officer at trust intelligence company OneTrust, tells InformationWeek.

Shortly after the announcement of the Zoetop fine, the New York Department of Financial Services (DFS) determined health insurance company EyeMed will have to pay a $4.5 million penalty to New York State related to a 2020 phishing attack. The attack resulted in the exposure of hundreds of thousands of consumers’ personal health data. DFS found that EyeMed failed to implement multi-factor authentication and failed to limit user access privileges.

Fines like these call into question whether future data breaches will result in similar enforcement.

Tony Foley, privacy and cybersecurity legal analyst at information services company Wolters Kluwer, Legal and Regulatory US, points out that enforcement activity has been relatively limited until a couple of years ago. But that is changing.

“We definitely are seeing an uptick in investigations by Attorneys General across the country, not to mention increased focus by federal regulators. As a result, I think companies will start to pay much closer attention to their data security and incident response programs,” he says.

If enforcement is increasing, it is a clear signal that cybersecurity and breach prevention is an important investment for companies that safeguard consumer data so coveted by bad actors.

Prevention is the best way to avoid data breach fines. Even if a company suffers a data breach, the preventative measures it had taken will likely impact the severity of the resultant fine. The New York AG cited Zoetop’s “weak digital security measures” in its statement, and the New York DFS also noted EyeMed’s inadequate security measures. As a result of their respective agreements with the state, both companies must take measures to improve their cybersecurity.

“If they [companies] make a demonstrably reasonable effort to protect their data in the first place and take all the necessary notification and reporting steps required by law if they are nonetheless attacked, they will be likely to escape any enforcement action,” Foley contends.

As made clear by the Zoetop example, proper breach notification is essential to avoiding financial penalties.

“Properly notifying authorities and individuals of a data breach can demonstrate an organization’s commitment to data privacy and transparency, and help maintain trust with consumers, while also avoiding penalties down the road,” says Rivera.

What to Read Next:

Can Data Collection Persist Amid Post-Roe Privacy Questions?

Understanding DDoS Attacks on US Airport Websites and Escalating Critical Infrastructure Cyberattacks

About the Author

Carrie Pallardy

Contributing Reporter

Carrie Pallardy is a freelance writer and editor living in Chicago. She writes and edits in a variety of industries including cybersecurity, healthcare, and personal finance.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights