A federal judge in Wisconsin has declined for a second time to sign off on a settlement agreement between Filters Fast and a class of its customers.
Customers claim Filters Fast did not notify them quickly enough about a 2019 data breach that exposed their personal and credit card info.
The judge is concerned class members weren’t notified adequately due to a response rate of just over 1%.
Customers did not need to show an individualized injury while submitting a claim to receive $25.
Judge claims the email notifications sent to class members had subject lines that did not properly alert customers to what the body of the email entailed, but the customers argue the response rate is consistent with other data breach settlements.
(10/31/2020)
A North Carolina retailer of air and water filters revealed in August its website had been subjected to a significant data breach in February that exposed its customers’ personal and credit card information.
Filters Fast Contacts State Officials and Customers
In August, Filters Fast sent data breach notifications to the attorneys general of several states in which its customers were located to apprise them of the situation. Some of the attorneys general shared the notification on their websites, others shared copies of the individual notices Filters Fast said it would be mailing to its customers.
California Attorney General Xavier Becerra posted a copy of his office’s correspondence from Filters Fast, saying an estimated 26,093 state residents were affected by the cyber-attack.
Vermont and Massachusetts state officials were among the others who also shared copies of the Filters Fast disclosure, including sample customer notifications.
The data breach notification says Filters Fast became aware of a “possible data security incident” in February that might have compromised some sensitive data. As part of its ensuing investigation, Filters Fast said it hired an independent forensics firm to analyze the company’s computer systems.
“On July 20, 2020, that investigation revealed that attackers had succeeded in adding malicious code to the Filters Fast website on July 15, 2019, which allowed unauthorized individuals to capture certain information during the checkout process,” the data breach notification read. “The malicious code was removed on July 10, 2020, during an unrelated update of the website.”
The information likely compromised included customer names, shipping and billing addresses and payment credit card information.
Customers were notified in mid-August.
Criticism and Questions About the Data Breach Notification
RapidSpike, a website performance and security monitoring company, wrote about the Filters Fast situation on its blog, noting that the online retailer “knowingly allowed approximately 3.4 million customers to shop on their compromised website for over [five] months,” based on the company’s revelations. The consumers were vulnerable, according to RapidSpike, because Filters Fast never took their website offline to investigate the suspected data breach when it first came to light in February.
“The company took a month to inform customers of the breach,” RapidSpike wrote. “Although it is important to take some time to ensure the information provided is accurate, this is not an appropriate timeframe for notification.”
Some customers, unhappy with Filters Fast’s handling of the data breach notification, took to social media platforms to complain. In some cases, Filters Fast responded.
In one exchange, a Twitter user and customer tweeted at the company, saying “It took them six month at [sic] to tell me I may have lost thousands of dollars. I work in IT. It doesn’t take six months … It takes one day, at the most, to find out ‘might have’ and (maybe) a month to find ‘how’.”
Filters Fast’s Twitter account replied, saying that “with any event like this, it takes time to gather the relevant information, identify the affected individuals, hold the necessary internal discussions, and make the appropriate decisions to line up the assistance services that are being offered.” The company also said the cyber attacker used highly sophisticated methods “making the work of investigating the incident quite complex and time consuming.”
Rules and Regulations Governing Data Breach Notification
According to the National Conference of State Legislatures, all 50 states along with the District of Columbia and Puerto Rico have varying requirements when it comes to data breach notification.
Only eight states have laws that include specific deadlines by which companies must notify customers after discovering a breach – Connecticut, Florida, Maine, New Mexico, Ohio, Rhode Island, Tennessee and Vermont – The Washington Post says. Those deadlines range from 30 to 90 days.
There are no federal regulations.
Expert Opinions on Data Breach Notification Regulations
In 2018, The Washington Post put the question of data breach notification to its standing panel of cybersecurity leaders from government, academia and the private sector it calls The Network. Panelists – there are more than 100 of them – were asked what they thought about current notification regulations, proposed regulations and how companies have been handling breach disclosures.
The jumping off point was in consideration of the European Union’s requirement that companies there inform customers of a data breach within 72 hours of discovery or risk penalty. About 54% of the experts polled said the U.S. should have a similar federal law. Congressman Jim Langevin of Rhode Island was one them.
“Today, companies in the United States are required to comply with 50 different state laws when they suffer a data breach,” he told The Post. “This is bad for business and bad for consumers, who are treated differently depending on where they live.”
Langevin had introduced legislation that would set a more lenient federal limit on the amount of time a company has to make a data breach notification than the EU’s rule. Meanwhile, Senators Amy Klobuchar of Minnesota and John Kennedy of Louisiana have tried introducing bills that mirror the European measure. None have been voted on.
Read About More Class Action Lawsuits & Class Action Settlements:
Please note: Top Class Actions is not a settlement
administrator or law firm. Top Class Actions is a legal news source
that reports on class action lawsuits, class action settlements,
drug injury lawsuits and product liability lawsuits. Top Class
Actions does not process claims and we cannot advise you on the
status of any class action settlement claim. You must contact the
settlement administrator or your attorney for any updates regarding
your claim status, claim form or questions about when payments are
expected to be mailed out.
We use cookies to improve functionality and performance, enhance user experience, and provide tailored content. Click Accept if you consent. Click Change Settings if you want to tailor the use of your cookies.
Accept
Read more
Change Settings
Cookie Box Settings
Cookie Box Settings
Privacy settings
Decide which cookies you want to allow.
You can change these settings at any time. However, this can result in some functions no longer being available. For information on deleting the cookies, please consult your browser’s help function.
Learn more about the cookies we use.
With the slider, you can enable or disable different types of cookies:
This website will:
Remember which cookies group you accepted
Essential: Remember your cookie permission setting
Essential: Allow session cookies
Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
Essential: Keep track of what you input in a shopping cart
Essential: Authenticate that you are logged into your user account
Essential: Remember language version you selected
This website won't:
Remember your login details
Functionality: Remember social media settings
Functionality: Remember selected region and country
Analytics: Keep track of your visited pages and interaction taken
Analytics: Keep track about your location and region based on your IP number
Analytics: Keep track of the time spent on each page
Analytics: Increase the data quality of the statistics functions
Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before
Advertising: Gather personally identifiable information such as name and location
This website will:
Remember which cookies group you accepted
Essential: Remember your cookie permission setting
Essential: Allow session cookies
Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
Essential: Keep track of what you input in a shopping cart
Essential: Authenticate that you are logged into your user account
Essential: Remember language version you selected
Functionality: Remember social media settings
Functionality: Remember selected region and country
This website won't:
Remember your login details
Analytics: Keep track of your visited pages and interaction taken
Analytics: Keep track about your location and region based on your IP number
Analytics: Keep track of the time spent on each page
Analytics: Increase the data quality of the statistics functions
Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before
Advertising: Gather personally identifiable information such as name and location
This website will:
Remember which cookies group you accepted
Essential: Remember your cookie permission setting
Essential: Allow session cookies
Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
Essential: Keep track of what you input in a shopping cart
Essential: Authenticate that you are logged into your user account
Essential: Remember language version you selected
Functionality: Remember social media settings
Functionality: Remember selected region and country
Analytics: Keep track of your visited pages and interaction taken
Analytics: Keep track about your location and region based on your IP number
Analytics: Keep track of the time spent on each page
Analytics: Increase the data quality of the statistics functions
This website won't:
Remember your login details
Advertising: Use information for tailored advertising with third parties
Advertising: Allow you to connect to social sites
Advertising: Identify device you are using
Advertising: Gather personally identifiable information such as name and location
This website will:
Remember which cookies group you accepted
Essential: Remember your cookie permission setting
Essential: Allow session cookies
Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
Essential: Keep track of what you input in a shopping cart
Essential: Authenticate that you are logged into your user account
Essential: Remember language version you selected
Functionality: Remember social media settings
Functionality: Remember selected region and country
Analytics: Keep track of your visited pages and interaction taken
Analytics: Keep track about your location and region based on your IP number
Analytics: Keep track of the time spent on each page
Analytics: Increase the data quality of the statistics functions
Advertising: Use information for tailored advertising with third parties
Advertising: Allow you to connect to social sites
Advertising: Identify device you are using
Advertising: Gather personally identifiable information such as name and location
5 thoughts onWhy Did Filters Fast Wait to Send a Data Breach Notification?
Add me
Add me
As a past customer, I never received class action notice.
Add me
We have purchased through their website numerous times.