Communications Litigation Today was a Warren News publication.
PII 'Unencrypted'

Toy Maker's Checkout Snafu Breached Payment Card Industry Standards: Suit

Toy maker Squishable violated its privacy policy when code on its website allowed a third party to view and capture information on the checkout page as customers made purchases, alleges a Monday class action (docket 1:23-cv-03660) in U.S. District Court for Southern New York in Manhattan.

Plaintiff Christine Borovoy of Freeport, Illinois, said the New York-based company notified customers March 2 that their personal identifiable information (PII) was compromised in a data breach May 26-Oct. 12, when a third party was able to capture information entered on customers' checkout page as they made purchases, said the complaint. Squishable discovered the data breach around Oct. 12, said the notice.

Customers' PII was unencrypted before the data breach, alleges the complaint, saying Squishable didn’t use reasonable security procedures “appropriate to the nature of the sensitive, unencrypted information it was maintaining.” That caused plaintiff’s and class members’ PII to be exposed, it said.

The “financial fraud” suffered by Squishable during the data breach shows the company and/or its third-party vendors “chose not to invest in” technology that would encrypt payment card data at point-of-sale to make customers’ data more secure, the complaint alleges. The company “failed to install updates, patches, and malware protection or to install them in a timely manner” to protect against a data breach and failed to provide “sufficient control of employee credentials and access to computer systems to prevent a security breach and/or theft of payment card data,” it said.

Squishable’s failure to protect customers’ data is a “clear breach” of the Payment Card Industry Data Security Standards, industry-wide standards used by organizations that handle payment card data, said the complaint. In light of recent high-profile data breaches, Squishable should have known that its systems would be targeted by cybercriminals, the complaint said.

Plaintiff and class members have suffered and will continue to suffer injuries as a direct result of the data breach, said the complaint. In addition to fraudulent charges and damages to their credit, victims have to spend time and expenses for finding fraudulent charges, canceling cards, buying credit monitoring and identity theft protection and more, it said. Victims have been placed at an “immediate and continuing increased risk of harm from fraud,” it said.

Plaintiff and class members were also damaged by benefit-of-the-bargain damages; defendant had a contractual obligation to provide adequate data security as part of the contractual bargain it entered into with customers, the complaint said.

The class action claims negligence, unjust enrichment, breach of express and implied contract, invasion of privacy and violation of Illinois’ Consumer Fraud and Deceptive Business Practices Act. Plaintiff and class seek equitable relief related to the misuse and disclosure of PII; and injunctive relief, including orders requiring Squishable to protect customer data via encryption, destroy all PII, implement an information security program and engage third-party security auditors to conduct testing and simulated attacks.

Plaintiff and the class also seek an award of actual, nominal, consequential and punitive damages, plus attorneys’ fees and legal costs, the complaint said. Squishable didn't comment Wednesday.