Privacy and Data Protection – Retail

Overview

Whether we are helping launch a new loyalty program, providing a data security incident response tabletop exercise, advising on advertising rules, or responding to a data security incident, attorneys from our team are on-site at retailer corporate headquarters almost every week of the year. This includes providing counsel before, during, and after data security incidents, where proper preparation, efficient response, and clear and accurate communication are crucial to maintaining a retailer’s market reputation and customer goodwill. Our clients include both traditional and online retailers, supermarkets, department stores, specialty and luxury brands stores, big box chains, hospitality companies, and foodservice companies.

Select Experience

Proactive
  • Conducting security incident response training and tabletop exercises for more than 50 major retailers in the past two years alone.
  • Providing guidance on revalidating PCI DSS compliance, the October 2015 EMV liability shift, and implementing point-to-point encryption (P2PE) and tokenization.
  • Helping companies establish or refresh their e-commerce operations, including site privacy policies and terms of use, as well as negotiating contracts with technology service providers for payment applications and gateways, hosting, fraud analytics, and managed security.
Incident Response
  • Schnuck Markets, Inc., as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands, and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • A nationwide retailer, serving as counsel on incident response and regulatory inquiries associated with its disclosure of a payment card security incident.
More »

Experience

Proactive
  • Conducting security incident response training and tabletop exercises for more than 50 major retailers in the past two years alone.
  • Providing guidance on revalidating PCI DSS compliance, the October 2015 EMV liability shift, and implementing point-to-point encryption (P2PE) and tokenization.
  • Helping companies establish or refresh their e-commerce operations, including site privacy policies and terms of use, as well as negotiating contracts with technology service providers for payment applications and gateways, hosting, fraud analytics, and managed security.
  • Providing counsel on digital marketing, including helping companies establish practices that comply with federal and state laws (data collection at the POS, antispam) and industry self-regulation as well as compliance reviews of native advertising practices.
  • Counseling on the development of telephone and text marketing policies that comply with FCC regulations.
Incident Response
  • Schnuck Markets, Inc., as overall incident response counsel on all matters arising from its disclosure that up to 2.4 million payment cards were at risk from a cyberattack, including addressing regulatory investigations, obtaining a declaration from the Missouri Attorney General that Schnuck did not violate any data security laws, defending multiple consumer putative class actions, defending a putative class action brought on behalf of banks that issued affected payment cards, addressing card network liability assessment demands, and bringing a successful suit against Schnuck’s acquiring bank and payment processor to enforce a limitation-of-liability provision in the merchant services agreement.
  • A nationwide retailer, serving as counsel on incident response and regulatory inquiries associated with its disclosure of a payment card security incident.
  • A national discount tool retailer, acting as overall incident response counsel following a payment card security incident affecting hundreds of stores, including developing an in-store communications plan, coordinating media notification and Website announcements, providing guidance on the PFI investigation, interacting with state attorneys general, and addressing card network liability assessment demands — no consumer lawsuits were filed.
  • Franchisees of national chains, serving as counsel after they were affected by payment card security incidents.
  • A global e-commerce retailer, acting as incident response counsel following a payment card incident where notification was provided to affected customers in their native language in 26 countries, resolving the incident so that no consumer lawsuits were filed and preliminary regulatory inquiries were closed without adverse action.
  • A global retailer, serving as counsel in response to a Website defacement attack in the EU.
  • Multiple merchants, acting as incident response counsel after their point-of-sale technology vendors’ remote access credentials were stolen and used by an attacker to install Backoff malware variants that captured payment card data.
  • Payment gateways and point-of-sale vendors as incident response counsel for security incidents affecting the payment card environments of their merchant customers, including a sophisticated attack against a gateway that may have persisted for five years.
  • A global retail merchant, acting as overall incident response counsel when it was faced with preliminary indications of a cyberattack putting millions of payment cards at risk, organizing and leading the incident response team (which included the merchant’s in-house counsel, IT department leaders, and internal audit leaders, as well as two forensic firms and a crisis communications firm), developing persuasive forensic evidence demonstrating that the attacker was not able to access or acquire any personal information or payment card data, working closely with the forensic investigator to provide a report to the payment card brands, convincing the card brands that no payment card data was at risk, and guiding the merchant through the remediation of its network environment.
  • One of the largest national grocery chains, advising with pharmacies and health clinics, on privacy policies, security policies, and issues related to store-branded credit cards.
  • Multiple companies affected by ransomware, DDoS, and extortion demands.

Recognition

  • Recognized as one of the top law firms for client service, we were named to the 2018 BTI Client Service 30 for the fourth consecutive year.

News

Publications

Related Services

Featured Video

Craig Hoffman: Data Security and the Retail Industry
Play Video

BakerHostetler's Craig Hoffman discusses credit card breaches EMV, and what retailers should do after an incident.

Blog

In The Blogs

Previous Next
Data Privacy Monitor
A New Tax Season, but the Same W-2 Spear Phishing Scam
By David M. Brown
January 22, 2018
According to the IRS, the IRS saw the number of businesses, public schools, universities, tribal governments and nonprofits victimized by W-2 scams increase to 200 in 2017 from 50 in 2016. Those 200 victims translated into several hundred...
Read More ->
Data Privacy Monitor
Toying With Children’s Data: Lessons From the FTC’s First Connected Toys Settlement Action
January 17, 2018
Every year, especially around the holidays, more and more products that connect to the internet hit the market. For adults, connected home devices that act like personal domestic assistants have become increasingly popular. Children have...
Read More ->
Data Privacy Monitor
Recent Trends, Future Predictions, and Effective Risk Assessments
January 8, 2018
Risk assessments are a fundamental part of any organization’s risk management process. But many organizations still do not incorporate true risk assessments into their information-security planning, even though doing so makes good business...
Read More ->
Data Privacy Monitor
The IRS Succeeds in Compelling Crypto Exchange to Disclose User Information
January 4, 2018
As the price of bitcoin leaps and lurches toward new highs, it seems fitting that the legal regime surrounding it and other virtual currencies is similarly unpredictable. With bitcoin edging its way into mainstream finance, and Coinbase...
Read More ->
Data Privacy Monitor
Coming Full Circle: FTC Recovers BIAS Regulation Jurisdiction Following FCC Vote
January 3, 2018
In a widely publicized decision, the Federal Communication Commission (FCC) voted on Dec. 14, 2017, to repeal the tenets of the Protecting and Promoting the Open Internet Order, or the Open Internet Order, of 2015. See Protecting and...
Read More ->