<div dir="ltr"><a href="https://www.jdsupra.com/legalnews/panera-s-breach-and-the-knead-for-68829/">https://www.jdsupra.com/legalnews/panera-s-breach-and-the-knead-for-68829/</a><div><div id="gmail-HTMLContentViewPanel">
<div id="gmail-html-view-content" class="gmail-jds-main-content"><p>
Eight months after a significant data breach involving customer data
was reported to Panera Bread company by a security researcher and within
a day of an article being published laying out the <a href="http://,%20https://krebosonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records">nature and extent of the breach</a>,
the company on April 2, 2018 acknowledged the data leak. However, it
insisted that fewer than 10,000 consumers had been affected in contrast
to the more than 7 million customers several security researchers
estimate were affected.</p>
<p>
The story is not so much the vulnerability in Panera’s online food
ordering system that exposed the customer’s information, nor the fact
that Panera may not have been aware of the breach before the researcher
contacted it, but rather about Panera’s delay disclosing the breach and
its refusal to acknowledge the magnitude of the customer information
leaked. Panera is likely to become the poster child for what not to do
in addressing a data breach. For example, Panera does not have a
dedicated method to accept vulnerability reports from security
researchers, it ignored numerous communications from the security
researcher that attempted to alert the company to the breach and became
defensive about his report, including accusing the security researcher
of being a scammer of some sort. Perhaps the greatest surprise is it
waited eight months to acknowledge the leak and to set about fixing it.
In the meantime more customers were likely affected by the disclosures
of personal information. In addition, the reputational harm to Panera
because it failed to respond quickly and forcefully, could be
significant.</p>
<p>
A national standard that includes a set notice period for businesses to
disclose data breaches to customers would have avoided the situation
Panera finds itself in. The delay could create substantial risk that
customers take legal action against the company. For nearly the last
ten years many U.S. data security and breach notification laws have been
introduced in the Congress but none have passed. Currently at least
one Senate and one House bill have been introduced. H.R. 5388, the
Data Accountability and Trust Act and S. 2179 the Data Security and
Breach Notification Act have been introduced. Both bills contain
provisions that generally require consumers to be notified of any breach
within 30 days after its discovery.</p>
<p>
Panera is not alone in having delayed in reporting breaches. Equifax
and Target are among the many in that category. In fact, in 2017 Uber
actually paid two hackers to keep quiet about a cyberattack that exposed
the data of 57 million Uber riders and drivers. State and federal
lawmakers and security experts all agree that the lack of transparency
by businesses, governmental entities and other organizations is a
problem that needs to be addressed. While many state legislatures have
passed data breach notification periods, the Congress has been unable to
pass legislation to address this and other issues resulting from the
many significant data breaches that occur almost daily. While it is not
clear that consumers have changed their online activity because of
these breaches, that day may come.</p>
</div>
</div><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div></div>