On-line retailer resolves data breach notification delay with New York authorities

On June 6, 2019, the Attorney General of New York announced a settlement with Bombas LLC, an on-line sock retailer, which resolves the investigation into a breach of customer payment card information belonging to 39,561 consumers.  According to the Attorney General, hackers introduced malicious software code into the platform code supporting Bombas’ website in September 2014.  In November of that year, Bombas discovered the malicious code, and then waited two months to remediate.  Moreover, the company waited until May 2018 to notify the affected consumers and relevant New York agencies.  The attorney General found that Bombas’ behavior violated General Business Law §§ 899-aa, which requires notification within an expedient time-period and without unreasonable delay.  In addition to a monetary settlement of $65,000, Bombas has agreed to injunctive provisions to prevent future violations, including expeditious investigations of future data security breaches and employee training.

NY Attorney General press release