Privacy and Data Protection – Retail

Overview

Whether we are helping launch a new loyalty program, providing a data security incident response tabletop exercise, advising on advertising rules, or responding to a data security incident, attorneys from our team are on-site at retailer corporate headquarters almost every week of the year. This includes providing counsel before, during, and after data security incidents, where proper preparation, efficient response, and clear and accurate communication are crucial to maintaining a retailer’s market reputation and customer goodwill. Our clients include both traditional and online retailers, supermarkets, department stores, specialty and luxury brands stores, big box chains, hospitality companies, and foodservice companies.

Select Experience

Proactive
  • Conducting security incident response training and tabletop exercises for more than 50 major retailers in the past two years alone.
  • Providing guidance on revalidating PCI DSS compliance, the October 2015 EMV liability shift, and implementing point-to-point encryption (P2PE) and tokenization.
  • Helping companies establish or refresh their e-commerce operations, including site privacy policies and terms of use, as well as negotiating contracts with technology service providers for payment applications and gateways, hosting, fraud analytics, and managed security.
Incident Response
  • Schnuck Markets, Inc., as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands, and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • A nationwide retailer, serving as counsel on incident response and regulatory inquiries associated with its disclosure of a payment card security incident.
More »

Experience

Proactive
  • Conducting security incident response training and tabletop exercises for more than 50 major retailers in the past two years alone.
  • Providing guidance on revalidating PCI DSS compliance, the October 2015 EMV liability shift, and implementing point-to-point encryption (P2PE) and tokenization.
  • Helping companies establish or refresh their e-commerce operations, including site privacy policies and terms of use, as well as negotiating contracts with technology service providers for payment applications and gateways, hosting, fraud analytics, and managed security.
  • Providing counsel on digital marketing, including helping companies establish practices that comply with federal and state laws (data collection at the POS, antispam) and industry self-regulation as well as compliance reviews of native advertising practices.
  • Counseling on the development of telephone and text marketing policies that comply with FCC regulations.
Incident Response
  • Schnuck Markets, Inc., as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands, and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • A nationwide retailer, serving as counsel on incident response and regulatory inquiries associated with its disclosure of a payment card security incident.
  • A national discount tool retailer, acting as overall incident response counsel following a payment card security incident affecting hundreds of stores, including developing an in-store communications plan, coordinating media notification and Website announcements, providing guidance on the PFI investigation, interacting with state attorneys general, and addressing card network liability assessment demands — no consumer lawsuits were filed.
  • Franchisees of national chains, serving as counsel after they were affected by payment card security incidents.
  • A global e-commerce retailer, acting as incident response counsel following a payment card incident where notification was provided to affected customers in their native language in 26 countries, resolving the incident so that no consumer lawsuits were filed and preliminary regulatory inquiries were closed without adverse action.
  • A global retailer, serving as counsel in response to a Website defacement attack in the EU.
  • Multiple merchants, acting as incident response counsel after their point-of-sale technology vendors’ remote access credentials were stolen and used by an attacker to install Backoff malware variants that captured payment card data.
  • Payment gateways and point-of-sale vendors as incident response counsel for security incidents affecting the payment card environments of their merchant customers, including a sophisticated attack against a gateway that may have persisted for five years.
  • A global retail merchant, acting as overall incident response counsel when it was faced with preliminary indications of a cyberattack putting millions of payment cards at risk, organizing and leading the incident response team (which included the merchant’s in-house counsel, IT department leaders, and internal audit leaders, as well as two forensic firms and a crisis communications firm), developing persuasive forensic evidence demonstrating that the attacker was not able to access or acquire any personal information or payment card data, working closely with the forensic investigator to provide a report to the payment card brands, convincing the card brands that no payment card data was at risk, and guiding the merchant through the remediation of its network environment.
  • One of the largest national grocery chains, advising with pharmacies and health clinics, on privacy policies, security policies, and issues related to store-branded credit cards.
  • Multiple companies affected by ransomware, DDoS, and extortion demands.

News

Publications

Related Services

Featured Video

Craig Hoffman: Data Security and the Retail Industry
Play Video

BakerHostetler's Craig Hoffman discusses credit card breaches EMV, and what retailers should do after an incident.

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Moving Beyond Passwords – Does Your Face Raise Privacy Concerns?
November 8, 2017
Phishing attacks continue to be the root cause of a considerable number of data breaches. Typically, these incidents occur when employees are enticed into giving up their login credentials in response to a cleverly designed, yet fake...
Read More ->
Data Privacy Monitor
From the Mouths of Babes: FTC Issues COPPA Enforcement Policy Regarding Voice Recordings
By Alan L. Friel, Melinda L. McLellan
November 7, 2017
On October 23, the Federal Trade Commission (FTC) released new guidance on how the Children’s Online Privacy Protection Act (COPPA) Rule may apply to audio recordings of children’s voices collected by websites and online services...
Read More ->
Data Privacy Monitor
Deception and Unfair Practices Come Preinstalled
By Alan L. Friel
October 23, 2017
Lenovo, a manufacturer of personal computers, recently agreed, among other things, to implement a software security program in a settlement with the Federal Trade Commission (FTC) over issues with third-party software preinstalled on some...
Read More ->
Data Privacy Monitor
FTC Takes Action Against Individual Social Media Influencers
By Stephanie A. Lucas
September 26, 2017
Advertisers’ and brands’ use of social media influencers has continued to grow in importance as brands seek to reach new consumers while marketing to a widespread demographic. Traditionally, influencers are known as people who leverage...
Read More ->
Data Privacy Monitor
European Court Provides Further Clarity on Employee Monitoring
By Emily R. Fedeles, Nichole L. Sterling
September 20, 2017
The September 5, 2017, decision of the Grand Chamber of the European Court of Human Rights (ECHR) in Barbulescu v Romania (Barbulescu) has interrupted a recent trend toward limiting privacy in the European workplace. The Barbulescu...
Read More ->