Privacy and Data Protection – Retail

Overview

Whether we are helping launch a new loyalty program, providing a data security incident response tabletop exercise, advising on advertising rules, or responding to a data security incident, attorneys from our team are on-site at retailer corporate headquarters almost every week of the year. This includes providing counsel before, during, and after data security incidents, where proper preparation, efficient response, and clear and accurate communication are crucial to maintaining a retailer’s market reputation and customer goodwill. Our clients include both traditional and online retailers, supermarkets, department stores, specialty and luxury brands stores, big box chains, hospitality companies, and foodservice companies.

Select Experience

Proactive
  • Conducting security incident response training and tabletop exercises for more than 50 major retailers in the past two years alone.
  • Providing guidance on revalidating PCI DSS compliance, the October 2015 EMV liability shift, and implementing point-to-point encryption (P2PE) and tokenization.
  • Helping companies establish or refresh their e-commerce operations, including site privacy policies and terms of use, as well as negotiating contracts with technology service providers for payment applications and gateways, hosting, fraud analytics, and managed security.
Incident Response
  • Schnuck Markets, Inc., as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands, and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • A nationwide retailer, serving as counsel on incident response and regulatory inquiries associated with its disclosure of a payment card security incident.
More »

Experience

Proactive
  • Conducting security incident response training and tabletop exercises for more than 50 major retailers in the past two years alone.
  • Providing guidance on revalidating PCI DSS compliance, the October 2015 EMV liability shift, and implementing point-to-point encryption (P2PE) and tokenization.
  • Helping companies establish or refresh their e-commerce operations, including site privacy policies and terms of use, as well as negotiating contracts with technology service providers for payment applications and gateways, hosting, fraud analytics, and managed security.
  • Providing counsel on digital marketing, including helping companies establish practices that comply with federal and state laws (data collection at the POS, antispam) and industry self-regulation as well as compliance reviews of native advertising practices.
  • Counseling on the development of telephone and text marketing policies that comply with FCC regulations.
Incident Response
  • Schnuck Markets, Inc., as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands, and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • A nationwide retailer, serving as counsel on incident response and regulatory inquiries associated with its disclosure of a payment card security incident.
  • A national discount tool retailer, acting as overall incident response counsel following a payment card security incident affecting hundreds of stores, including developing an in-store communications plan, coordinating media notification and Website announcements, providing guidance on the PFI investigation, interacting with state attorneys general, and addressing card network liability assessment demands — no consumer lawsuits were filed.
  • Franchisees of national chains, serving as counsel after they were affected by payment card security incidents.
  • A global e-commerce retailer, acting as incident response counsel following a payment card incident where notification was provided to affected customers in their native language in 26 countries, resolving the incident so that no consumer lawsuits were filed and preliminary regulatory inquiries were closed without adverse action.
  • A global retailer, serving as counsel in response to a Website defacement attack in the EU.
  • Multiple merchants, acting as incident response counsel after their point-of-sale technology vendors’ remote access credentials were stolen and used by an attacker to install Backoff malware variants that captured payment card data.
  • Payment gateways and point-of-sale vendors as incident response counsel for security incidents affecting the payment card environments of their merchant customers, including a sophisticated attack against a gateway that may have persisted for five years.
  • A global retail merchant, acting as overall incident response counsel when it was faced with preliminary indications of a cyberattack putting millions of payment cards at risk, organizing and leading the incident response team (which included the merchant’s in-house counsel, IT department leaders, and internal audit leaders, as well as two forensic firms and a crisis communications firm), developing persuasive forensic evidence demonstrating that the attacker was not able to access or acquire any personal information or payment card data, working closely with the forensic investigator to provide a report to the payment card brands, convincing the card brands that no payment card data was at risk, and guiding the merchant through the remediation of its network environment.
  • One of the largest national grocery chains, advising with pharmacies and health clinics, on privacy policies, security policies, and issues related to store-branded credit cards.
  • Multiple companies affected by ransomware, DDoS, and extortion demands.

Recognition

  • Chambers USA: Nationwide Privacy & Data Security (2013 to 2018)
    • Chambers USA Privacy and Data Security - Healthcare Spotlight Table (2018)
  • Recognized as one of the top law firms for client service, BakerHostetler was named to the 2020 BTI Client Service 30 for the sixth consecutive year.

Publications

Blog

In The Blogs

Previous Next
Data Privacy Monitor
Record-Keeping and Training Requirements in the Proposed Regulations for the CCPA
By James A. Sherer, Nichole L. Sterling
November 26, 2019
The California Consumer Privacy Act (CCPA), California Civil Code §1798.100 and following, does not in itself outline specific training and record-keeping requirements that demonstrate business compliance with consumer requests. However...
Read More ->
Data Privacy Monitor
Refine CCPA Compliance Plan with the Regulations in Mind
November 18, 2019
We previously announced the publication of the first set of proposed regulations that will implement the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. Partner Alan Friel has authored an article published...
Read More ->
Data Privacy Monitor
Children's Privacy Law Updates: Tricks or Treats?
By Carolina A. Alonso
October 31, 2019
It’s finally here! Halloween, the day every kid dreams of for months. It’s a scary time in the world of children’s privacy law – what with the California Consumer Privacy Act (CCPA) lurking around the corner and the specter of FTC...
Read More ->
Data Privacy Monitor
IAB Releases Draft CCPA Compliance Framework for Digital Advertising Industry
By Kyle R. Fath
October 25, 2019
The Interactive Advertising Bureau (IAB) publicly released its draft CCPA Compliance Framework for Publishers and Technology Companies (“Framework”) on Oct. 22, 2019. As we reported here, the Framework is being developed by the IAB and the...
Read More ->
Data Privacy Monitor
Summer Is Over – It's CCPA and NV Crunch Time
By Alan L. Friel
September 9, 2019
It is less than 120 days until California’s ground-shifting new privacy regimen – the California Consumer Privacy Act (CCPA) – goes into effect. There is only a week left for the Legislature to pass the handful of amendment bills that...
Read More ->