Fashion Company Shein Fined $1.9 Million in New York
Last week, it was announced that the popular fast fashion brand Shein was being fined $1.9 million in response to the company’s handling of a 2018 data breach. During the aforementioned event, the “Login details for 39 million Shein accounts were stolen in 2018 after its parent company, Zoetop, was targeted by hackers. New York Attorney General Letitia James said Zoetop had lied about the extent of the breach and had notified “only a fraction” of affected customers.” Subsequently, as many as 800,000 residents within New York state were affected by the data breach that occurred.
To this end, Zoetop also allegedly lied about the specific forms of personal information that were disclosed as a result of the data breach that took place, as the company reportedly told customers that it had discovered no evidence of stolen credit card information, or email account addresses and passwords. However, these claims were later proven to be false, as Zoetop had been informed by multiple sources that these data elements were in fact involved in the breach the company sustained in 2018. Nevertheless, Zoetop’s inability to provide its customers with transparency regarding the data breach that impacted the company several years ago has had an adverse effect on all parties involved.
Investigations into the data breach
To this last point, in spite of the sheer amount of customers that were affected by the data breach that Zoetop dealt with in 2018, the company did not reset the passwords for its millions of customers until almost two years later in 2020, after a customer found their personal data for sale via the dark web. For this reason, the “OAG investigation also found that Zoetop “failed to maintain reasonable security measures” at the time of the hack, including using insufficient password management systems and failing to monitor for security issues or have a comprehensive plan in place in case of a cyberattack.”
For reference, New York State does not publicize data breach notifications, in contrast to many other jurisdictions around the country. This is why the news of Zoetop being fined by the New York OAG was only just reported last week, in spite of the fact that the events that inspired the fine occurred in 2018. Nonetheless, the provisions of New York’s Stop Hacks and Improve Electronic Data Security or SHIELD Act mandate that companies serving customers within New York take certain steps to prevent this data from being stolen during the course of a data breach.
Data breach legislation in the U.S.
Nonetheless, the existence of the SHEILD Act did not compel Zoetop to disclose the data breach that took place in 2018 at the time in which it happened, as members of the general public only became aware of the breach after their information had been available via the dark web for nearly 2 years. Likewise, while the fine that was imposed against Zoetop last week for its failure to protect the personal information of its customers was significant for consumers within New York state, it underscores the current issue that is present within the privacy landscape around the nation.
More specifically, due to the fragmented nature of data privacy legislation within the U.S., companies that operate within the country are not beholden to a single federal law that requires them to protect the personal information of their customers. Instead, each state around the U.S. has its own data breach notification law, meaning that these states must spend valuable time and taxpayer dollars to uncover information that could have easily been obtained from a single government agency. In this way, consumers within America are vulnerable to the negative impacts of being involved in a data breach, as each individual state government must work simultaneously to hold these businesses accountable.
Although the news of Zoetop and its subsidiary Shein being fined $1.9 million in response to their handling of a 2018 data breach is only just now making national headlines, the underlying legal work that was needed to enforce such legal action has been unfolding for many years now. Despite this, however, American citizens deserve a higher level of protection and honesty from the companies they patronize on a daily basis, as these companies would not be able to sustain production without this money. More importantly, however, no consumer living in any country around the globe should have to become aware of a data breach via the dark web or some other nefarious channel.