Rutters, a prominent grocery chain in Pennsylvania with 80 locations statewide, settled a data breach investigation with Attorney General (AG) Michelle Henry’s office by agreeing to pay $1 million and to implement certain injunctive relief. Henry announced the settlement on Wednesday, October 11, following a months-long data breach lasting from 2018 to 2019 that potentially exposed the payment card data of 1.3 million Pennsylvania consumers.

According to Henry’s press release, the attack occurred over nine months and involved all or nearly all of the grocer’s locations. Rutters first learned of the security incident in May 2019, but after conducting an in-house investigation, it concluded that customer payment card information was not stolen. Approximately six months after Rutters concluded its investigation, Mastercard flagged unusual payment card activity associated with customers who shopped at Rutters and required the company to investigate further. An investigation by an independent party found that the 2018-2019 security incident had resulted in the theft of at least 1.3 million different payment cards from Rutters’ network.

Henry cautioned that this breach “could have been catastrophic for countless consumers whose personal information was exposed due to flimsy safeguards.” To protect consumers from the prospect of future harm, the settlement with Rutters will involve “assurance that future risk will be minimized.” Specifically, and in addition to the $1 million payment, Rutters is required to conduct and document a risk assessment and engage independent auditors to ensure compliance and implementation of specific security improvements, which include: the maintenance of a robust information security program; appropriate password management; logging and log-monitoring policies and procedures; routine software patching; and the disabling of inactive accounts after some time.

Why It Matters

The Rutters settlement reflects a growing trend of state AGs engaging in local-level enforcement following a data breach — which is attributable to proficiencies and expertise developed in state AG offices over the past decade. While a data breach can be devastating for a company by itself, the potential for regulatory enforcement can be especially painful.

The investigation into Rutters is a wake-up call to all businesses, whether they have a local or national footprint. Self-help and a healthy dose of optimism rarely work in the breached entity’s favor. Once a company discovers a breach that potentially could have exposed consumer information, it is vitally important that the company (regardless of size) engage experienced outside counsel and forensic firm to ensure the company conducts a thorough investigation protected under privilege, and then satisfies any obligations to consumers, as applicable[1].

[1] Rutters was also sued in a class action lawsuit filed in the Middle District of Pennsylvania in connection with the data breach. In Re Rutter’s Inc. Data Sec. Breach Lit., No. 1:20-cv-00382-CCC (M.D. Penn., filed March 4, 2020).

Troutman Pepper State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.
Clay Friedman – Co-leader
Clayton is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice, multidisciplinary teams with decades of experience crafting effective strategies to help deter or mitigate the risk of enforcement actions and litigation.
Judy Jagdmann
Judy is a partner in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based in the Richmond office. She brings experience serving as chair and commissioner of the Virginia State Corporate Commission (VSCC) from 2006 through 2022, which includes regulating the utilities, insurance, banking, and securities industries. She also served as Virginia’s attorney general from 2005-2006.
Stephen Piepgrass
Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries.
Avi Schick
A former deputy attorney general of New York, Avi applies his experience in bet-the-company matters, representing clients in criminal and civil investigations and enforcement actions before state and federal regulators, prosecutors and enforcement agencies.
Michael Yaghi
Michael is a partner in the firm’s State Attorneys General and Regulatory Investigations, Strategy + Enforcement (RISE) Practice Groups, nationwide teams that advise clients on consumer protection enforcement matters and other regulatory issues.
Tim Bado
Tim is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, where he represents corporations and individuals facing potential civil and criminal exposure. Tim’s experience in government investigations, enforcement actions, and white-collar litigation spans a number of industries, including financial services, pharmaceutical, health care, and government contracting, among others.
Chris Carlson
Chris Carlson represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general.
Natalia Jacobo
Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice. She focuses her practice on two primary areas: government contracting and state attorney general work.
Namrata Kang
Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising.
Michael Lafleur
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
Susan Nikdel
Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes.
John Sample
John is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on a wide range of general and complex litigation matters, including shareholder disputes, fraud, products liability, breach of contract, and Biometric Information Privacy Act claims.
Whitney Shephard
Whitney is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation.
Trey Smith
Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice. He focuses his practice on helping financial institutions and consumer facing companies navigate regulatory investigations and resulting litigation.
Daniel Waltz
Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.
Stephanie Kozol
Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department.