Eddie Bauer has agreed to a settlement with Iowa financial institution Veridian Credit Union to dispense with a class action lawsuit over a 2016 data breach, according to documents filed in the U.S. District Court for the Western District of Washington. In all, the company could expend some $9.8 million, according to the documents.
The outdoor apparel retailer will pay a minimum of $1 million and a maximum of $2.8 million in settlement distributions, plus up to $2 million to cover attorney fees and other costs, according to the filing. The retailer also expects to spend approximately $5 million taking steps to ensure that its payment and cybersecurity systems are safe, according to the agreement.
While the cost of settling the matter is steep, the retailer admits no wrongdoing, according to the filing. Eddie Bauer didn't immediately return Retail Dive's request for comment. Veridian confirmed that the matter was settled but declined to confirm details.
Retailers represent a significant share of the businesses that accept payments from consumers electronically, and a breach wreaks havoc on customers' personal and financial information, not to mention a retailer's own reputation.
U.S. retailers have the dubious distinction of being among the entities that suffer the most in this area, and the problem has worsened rather than improved, according to a study last year from data security solutions firm Thales eSecurity. That research found that U.S. retail data breaches more than doubled since the previous Thales report, rising to 50% in 2018 from 19% in a 2017 survey. The global average of retail executives reporting data breaches was 27%. Of global retailers, 60% reported at least one breach. U.S. retail was the second most breached segment analyzed by Thales, trailing the U.S. federal government only slightly and ranking ahead of healthcare and financial services.
Yet data breaches in retail continue. Neiman Marcus last year paid a $1.5 million settlement over a previous year's breach, a 2017 attack at Hudson's Bay banners was deemed among the worst ever, Nordstrom last year suffered a breach affecting its employees and Amazon reportedly dealt with a customer cybersecurity issue last year.
The situation suggests that retailers may not be taking enough proactive steps to prevent such problems.
"Today, data breaches and data regulation are constantly in the news cycle. To avoid their own fifteen minutes of infamous fame, organizations of all sizes should ensure their technology partners conduct a [System and Organization Controls] audit to ensure they securely manage data," Roland Gossage, CEO of e-commerce solutions company GroupBy Inc., said in comments emailed to Retail Dive. Compliance demonstrates company data security, he said, but there are also "significant practical benefits of working with a partner that is compliant, including a more streamlined audit process, stable operational rigor and access to greater service provider information. Developing a formalized process to assess risk can ensure that retailers maintain their consumers’ trust and loyalty."