Fashion Company Shein Fined $1.9 Million in New York

October 18, 2022 | 4 minutes read
Fashion Company Shein Fined $1.9 Million in New York

Last week, it was announced that the popular fast fashion brand Shein was being fined $1.9 million in response to the company’s handling of a 2018 data breach. During the aforementioned event, the “Login details for 39 million Shein accounts were stolen in 2018 after its parent company, Zoetop, was targeted by hackers. New York Attorney General Letitia James said Zoetop had lied about the extent of the breach and had notified “only a fraction” of affected customers.” Subsequently, as many as 800,000 residents within New York state were affected by the data breach that occurred.

To this end, Zoetop also allegedly lied about the specific forms of personal information that were disclosed as a result of the data breach that took place, as the company reportedly told customers that it had discovered no evidence of stolen credit card information, or email account addresses and passwords. However, these claims were later proven to be false, as Zoetop had been informed by multiple sources that these data elements were in fact involved in the breach the company sustained in 2018. Nevertheless, Zoetop’s inability to provide its customers with transparency regarding the data breach that impacted the company several years ago has had an adverse effect on all parties involved.

Investigations into the data breach

To this last point, in spite of the sheer amount of customers that were affected by the data breach that Zoetop dealt with in 2018, the company did not reset the passwords for its millions of customers until almost two years later in 2020, after a customer found their personal data for sale via the dark web. For this reason, the “OAG investigation also found that Zoetop “failed to maintain reasonable security measures” at the time of the hack, including using insufficient password management systems and failing to monitor for security issues or have a comprehensive plan in place in case of a cyberattack.”

For reference, New York State does not publicize data breach notifications, in contrast to many other jurisdictions around the country. This is why the news of Zoetop being fined by the New York OAG was only just reported last week, in spite of the fact that the events that inspired the fine occurred in 2018. Nonetheless, the provisions of New York’s Stop Hacks and Improve Electronic Data Security or SHIELD Act mandate that companies serving customers within New York take certain steps to prevent this data from being stolen during the course of a data breach.

Data breach legislation in the U.S.

Nonetheless, the existence of the SHEILD Act did not compel Zoetop to disclose the data breach that took place in 2018 at the time in which it happened, as members of the general public only became aware of the breach after their information had been available via the dark web for nearly 2 years. Likewise, while the fine that was imposed against Zoetop last week for its failure to protect the personal information of its customers was significant for consumers within New York state, it underscores the current issue that is present within the privacy landscape around the nation.

More specifically, due to the fragmented nature of data privacy legislation within the U.S., companies that operate within the country are not beholden to a single federal law that requires them to protect the personal information of their customers. Instead, each state around the U.S. has its own data breach notification law, meaning that these states must spend valuable time and taxpayer dollars to uncover information that could have easily been obtained from a single government agency. In this way, consumers within America are vulnerable to the negative impacts of being involved in a data breach, as each individual state government must work simultaneously to hold these businesses accountable.

Although the news of Zoetop and its subsidiary Shein being fined $1.9 million in response to their handling of a 2018 data breach is only just now making national headlines, the underlying legal work that was needed to enforce such legal action has been unfolding for many years now. Despite this, however, American citizens deserve a higher level of protection and honesty from the companies they patronize on a daily basis, as these companies would not be able to sustain production without this money. More importantly, however, no consumer living in any country around the globe should have to become aware of a data breach via the dark web or some other nefarious channel.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »