Privacy and Data Protection – Retail

Overview

Whether we are helping launch a new loyalty program, providing a data security incident response tabletop exercise, advising on advertising rules, or responding to a data security incident, attorneys from our team are on-site at retailer corporate headquarters almost every week of the year. This includes providing counsel before, during, and after data security incidents, where proper preparation, efficient response, and clear and accurate communication are crucial to maintaining a retailer’s market reputation and customer goodwill. Our clients include both traditional and online retailers, supermarkets, department stores, specialty and luxury brands stores, big box chains, hospitality companies, and foodservice companies.

Select Experience

Proactive
  • Conducting security incident response training and tabletop exercises for more than 50 major retailers in the past two years alone.
  • Providing guidance on revalidating PCI DSS compliance, the October 2015 EMV liability shift, and implementing point-to-point encryption (P2PE) and tokenization.
  • Helping companies establish or refresh their e-commerce operations, including site privacy policies and terms of use, as well as negotiating contracts with technology service providers for payment applications and gateways, hosting, fraud analytics, and managed security.
Incident Response
  • Schnuck Markets, Inc., as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands, and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • A nationwide retailer, serving as counsel on incident response and regulatory inquiries associated with its disclosure of a payment card security incident.
More »

Experience

Proactive
  • Conducting security incident response training and tabletop exercises for more than 50 major retailers in the past two years alone.
  • Providing guidance on revalidating PCI DSS compliance, the October 2015 EMV liability shift, and implementing point-to-point encryption (P2PE) and tokenization.
  • Helping companies establish or refresh their e-commerce operations, including site privacy policies and terms of use, as well as negotiating contracts with technology service providers for payment applications and gateways, hosting, fraud analytics, and managed security.
  • Providing counsel on digital marketing, including helping companies establish practices that comply with federal and state laws (data collection at the POS, antispam) and industry self-regulation as well as compliance reviews of native advertising practices.
  • Counseling on the development of telephone and text marketing policies that comply with FCC regulations.
Incident Response
  • Schnuck Markets, Inc., as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands, and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • A nationwide retailer, serving as counsel on incident response and regulatory inquiries associated with its disclosure of a payment card security incident.
  • A national discount tool retailer, acting as overall incident response counsel following a payment card security incident affecting hundreds of stores, including developing an in-store communications plan, coordinating media notification and Website announcements, providing guidance on the PFI investigation, interacting with state attorneys general, and addressing card network liability assessment demands — no consumer lawsuits were filed.
  • Franchisees of national chains, serving as counsel after they were affected by payment card security incidents.
  • A global e-commerce retailer, acting as incident response counsel following a payment card incident where notification was provided to affected customers in their native language in 26 countries, resolving the incident so that no consumer lawsuits were filed and preliminary regulatory inquiries were closed without adverse action.
  • A global retailer, serving as counsel in response to a Website defacement attack in the EU.
  • Multiple merchants, acting as incident response counsel after their point-of-sale technology vendors’ remote access credentials were stolen and used by an attacker to install Backoff malware variants that captured payment card data.
  • Payment gateways and point-of-sale vendors as incident response counsel for security incidents affecting the payment card environments of their merchant customers, including a sophisticated attack against a gateway that may have persisted for five years.
  • A global retail merchant, acting as overall incident response counsel when it was faced with preliminary indications of a cyberattack putting millions of payment cards at risk, organizing and leading the incident response team (which included the merchant’s in-house counsel, IT department leaders, and internal audit leaders, as well as two forensic firms and a crisis communications firm), developing persuasive forensic evidence demonstrating that the attacker was not able to access or acquire any personal information or payment card data, working closely with the forensic investigator to provide a report to the payment card brands, convincing the card brands that no payment card data was at risk, and guiding the merchant through the remediation of its network environment.
  • One of the largest national grocery chains, advising with pharmacies and health clinics, on privacy policies, security policies, and issues related to store-branded credit cards.
  • Multiple companies affected by ransomware, DDoS, and extortion demands.

Recognition

  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security- Healthcare Spotlight Table (2018)
  • Recognized as one of the top law firms for client service, BakerHostetler was named to the 2019 BTI Client Service 30 for the fifth consecutive year.

Publications

Related Services

Featured Video

Craig Hoffman: Data Security and the Retail Industry
Play Video

BakerHostetler's Craig Hoffman discusses credit card breaches EMV, and what retailers should do after an incident.

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Clearly Defined HIPAA and FERPA Policies May Help Covered Entities in Defending a Claim for Unemployment Compensation
By Paulette M. Thomas
February 19, 2019
Recently, in Dantry v. Unemployment Compensation Board of Review, No. 1665 C.D. 2017 (Pa. Cmwlth. 2019), the Commonwealth Court of Pennsylvania reversed the order of the Unemployment Compensation Board of Review (Board) which had affirmed...
Read More ->
Data Privacy Monitor
Best Cybersecurity Practices for Healthcare Organizations – Loss or Theft of Devices
By Kathryn Carey, Aleksandra Vold
February 18, 2019
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series...
Read More ->
Data Privacy Monitor
Best Cybersecurity Practices for Healthcare Organizations – Ransomware Prevention
By Kathryn Carey, Aleksandra Vold
February 8, 2019
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its “Cybersecurity Best Practices” report. For previous articles in the series...
Read More ->
Data Privacy Monitor
Insurance Data Security Model Law Picks Up Steam
By Andreas T. Kaltsounis, Shea M. Leitch
February 6, 2019
Three states recently enacted variations of the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law (MDL-668), based on the landmark cybersecurity requirements issued by the New York Department of...
Read More ->
Data Privacy Monitor
What Can We Learn From the Healthcare Data Breach ‘Wall of Shame'?
By Eric A. Packel
February 4, 2019
In addition to dealing with the public outcry and regulatory scrutiny resulting from a healthcare data breach, covered entities under the Health Insurance Portability and Accountability Act (or their business associates) are required to...
Read More ->