Vintner's Breach Shows Vulnerabilities of Firms Storing Sensitive Data, Lawyers Say
The breach and subsequent lawsuit against a winemaker that allegedly compromised the data of 26,000 customers "underscores the vulnerability of companies handling sensitive customer information," McDermott Will lawyers said in a blog post Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
A class action against Crimson Wine Group in California state court on June 30 alleged that inadequate security allowed a cyberattack to occur between June 26 and June 30, 2024. The attack allegedly exposed customers' personal data, including addresses, Social Security numbers, driver’s license numbers, financial information and medical information. Since Crimson Wine didn't send notification letters to impacted individuals until December 2024, the complainant also alleged delayed notification.
"Alcohol companies -- especially those selling direct to consumer -- collect and store high-value personal data to verify age, process payments, manage memberships, and ship products across state lines," the McDermott Will lawyers said. "This case highlights the need for alcohol companies to evaluate and strengthen their cybersecurity and privacy programs today to minimize legal risk and reputational harm tomorrow."
The lawyers advised alcohol and other direct-to-consumer outlets to ensure security programs are aligned with industry and regulatory standards, tighten data governance, review privacy disclosures and evaluate and strengthen incident response protocols for risk mitigation.