Privacy and Data Protection – Retail

Overview

Whether we are helping launch a new loyalty program, providing a data security incident response tabletop exercise, advising on advertising rules, or responding to a data security incident, attorneys from our team are on-site at retailer corporate headquarters almost every week of the year. This includes providing counsel before, during, and after data security incidents, where proper preparation, efficient response, and clear and accurate communication are crucial to maintaining a retailer’s market reputation and customer goodwill. Our clients include both traditional and online retailers, supermarkets, department stores, specialty and luxury brands stores, big box chains, hospitality companies, and foodservice companies.

Select Experience

Proactive
  • Conducting security incident response training and tabletop exercises for more than 50 major retailers in the past two years alone.
  • Providing guidance on revalidating PCI DSS compliance, the October 2015 EMV liability shift, and implementing point-to-point encryption (P2PE) and tokenization.
  • Helping companies establish or refresh their e-commerce operations, including site privacy policies and terms of use, as well as negotiating contracts with technology service providers for payment applications and gateways, hosting, fraud analytics, and managed security.
Incident Response
  • Schnuck Markets, Inc., as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands, and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • A nationwide retailer, serving as counsel on incident response and regulatory inquiries associated with its disclosure of a payment card security incident.
More »

Experience

Proactive
  • Conducting security incident response training and tabletop exercises for more than 50 major retailers in the past two years alone.
  • Providing guidance on revalidating PCI DSS compliance, the October 2015 EMV liability shift, and implementing point-to-point encryption (P2PE) and tokenization.
  • Helping companies establish or refresh their e-commerce operations, including site privacy policies and terms of use, as well as negotiating contracts with technology service providers for payment applications and gateways, hosting, fraud analytics, and managed security.
  • Providing counsel on digital marketing, including helping companies establish practices that comply with federal and state laws (data collection at the POS, antispam) and industry self-regulation as well as compliance reviews of native advertising practices.
  • Counseling on the development of telephone and text marketing policies that comply with FCC regulations.
Incident Response
  • Schnuck Markets, Inc., as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands, and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • A nationwide retailer, serving as counsel on incident response and regulatory inquiries associated with its disclosure of a payment card security incident.
  • A national discount tool retailer, acting as overall incident response counsel following a payment card security incident affecting hundreds of stores, including developing an in-store communications plan, coordinating media notification and Website announcements, providing guidance on the PFI investigation, interacting with state attorneys general, and addressing card network liability assessment demands — no consumer lawsuits were filed.
  • Franchisees of national chains, serving as counsel after they were affected by payment card security incidents.
  • A global e-commerce retailer, acting as incident response counsel following a payment card incident where notification was provided to affected customers in their native language in 26 countries, resolving the incident so that no consumer lawsuits were filed and preliminary regulatory inquiries were closed without adverse action.
  • A global retailer, serving as counsel in response to a Website defacement attack in the EU.
  • Multiple merchants, acting as incident response counsel after their point-of-sale technology vendors’ remote access credentials were stolen and used by an attacker to install Backoff malware variants that captured payment card data.
  • Payment gateways and point-of-sale vendors as incident response counsel for security incidents affecting the payment card environments of their merchant customers, including a sophisticated attack against a gateway that may have persisted for five years.
  • A global retail merchant, acting as overall incident response counsel when it was faced with preliminary indications of a cyberattack putting millions of payment cards at risk, organizing and leading the incident response team (which included the merchant’s in-house counsel, IT department leaders, and internal audit leaders, as well as two forensic firms and a crisis communications firm), developing persuasive forensic evidence demonstrating that the attacker was not able to access or acquire any personal information or payment card data, working closely with the forensic investigator to provide a report to the payment card brands, convincing the card brands that no payment card data was at risk, and guiding the merchant through the remediation of its network environment.
  • One of the largest national grocery chains, advising with pharmacies and health clinics, on privacy policies, security policies, and issues related to store-branded credit cards.
  • Multiple companies affected by ransomware, DDoS, and extortion demands.

Recognition

  • Recognized as one of the top law firms for client service, we were named to the 2018 BTI Client Service 30 for the fourth consecutive year.

Publications

Related Services

Featured Video

Craig Hoffman: Data Security and the Retail Industry
Play Video

BakerHostetler's Craig Hoffman discusses credit card breaches EMV, and what retailers should do after an incident.

Blog

In The Blogs

Previous Next
Data Privacy Monitor
U.S. Senate Duo and California Ballot Initiative Propose to Radically Alter U.S. Consumer Internet Privacy and Upend Digital Advertising
By Alan L. Friel
April 19, 2018
Amid growing concerns over the improper use of user information and data breaches, and in the same week as the Senate examines the Cambridge Analytica controversy, a duo of U.S. senators who have long advocated for federal consumer privacy...
Read More ->
Data Privacy Monitor
The Weekly Privacy Rewind
April 18, 2018
Class Actions Uber Data Breach Suits Consolidated in California • The U.S. Judicial Panel on Multidistrict Litigation has settled on the U.S. District Court for the Central District of California in which to centralize the class actions...
Read More ->
Data Privacy Monitor
Deeper Dive: Take Action to Close the Largest Cause of Data Security Incidents – Your Employees
By David E. Kitchen
April 17, 2018
If you work at a typical company, employee actions and inadvertent present the greatest threat to the security of your data. Therefore, providing proper training and technical safeguards is one of the most important means to enhance your...
Read More ->
Data Privacy Monitor
The Weekly Privacy Rewind
By Julie A. Hein, Aaron R. Lancaster
April 11, 2018
Canada Data Breach Notification Provisions of PIPEDA Act Go Into Effect Nov. 1, 2018 • Pursuant to a March 26, 2018 Order in Council, the mandatory breach notification provisions of Canada’s Personal Information Protection and Electronic...
Read More ->
Data Privacy Monitor
Deeper Dive: Key findings From Baker Hostetler's 2018 Data Security Incident Report
By Laura E. Jehl
April 10, 2018
In our 2018 Data Security Incident Report, “Building Cyber Resilience: Compromise Response Intelligence in Action,” we identify and analyze the most important trends and takeaways from the more than 560 incidents we handled last year...
Read More ->