Rutters, a prominent grocery chain in Pennsylvania with 80 locations statewide, settled a data breach investigation with Attorney General (AG) Michelle Henry’s office by agreeing to pay $1 million and to implement certain injunctive relief. Henry announced the settlement on Wednesday, October 11, following a months-long data breach lasting from 2018 to 2019 that potentially exposed the payment card data of 1.3 million Pennsylvania consumers.

According to Henry’s press release, the attack occurred over nine months and involved all or nearly all of the grocer’s locations. Rutters first learned of the security incident in May 2019, but after conducting an in-house investigation, it concluded that customer payment card information was not stolen. Approximately six months after Rutters concluded its investigation, Mastercard flagged unusual payment card activity associated with customers who shopped at Rutters and required the company to investigate further. An investigation by an independent party found that the 2018-2019 security incident had resulted in the theft of at least 1.3 million different payment cards from Rutters’ network.

Henry cautioned that this breach “could have been catastrophic for countless consumers whose personal information was exposed due to flimsy safeguards.” To protect consumers from the prospect of future harm, the settlement with Rutters will involve “assurance that future risk will be minimized.” Specifically, and in addition to the $1 million payment, Rutters is required to conduct and document a risk assessment and engage independent auditors to ensure compliance and implementation of specific security improvements, which include: the maintenance of a robust information security program; appropriate password management; logging and log-monitoring policies and procedures; routine software patching; and the disabling of inactive accounts after some time.

Why It Matters

The Rutters settlement reflects a growing trend of state AGs engaging in local-level enforcement following a data breach — which is attributable to proficiencies and expertise developed in state AG offices over the past decade. While a data breach can be devastating for a company by itself, the potential for regulatory enforcement can be especially painful.

The investigation into Rutters is a wake-up call to all businesses, whether they have a local or national footprint. Self-help and a healthy dose of optimism rarely work in the breached entity’s favor. Once a company discovers a breach that potentially could have exposed consumer information, it is vitally important that the company (regardless of size) engage experienced outside counsel and forensic firm to ensure the company conducts a thorough investigation protected under privilege, and then satisfies any obligations to consumers, as applicable[1].

[1] Rutters was also sued in a class action lawsuit filed in the Middle District of Pennsylvania in connection with the data breach. In Re Rutter’s Inc. Data Sec. Breach Lit., No. 1:20-cv-00382-CCC (M.D. Penn., filed March 4, 2020).

Troutman Pepper State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. He focuses primarily on federal and state government regulatory and enforcement matters involving state attorneys general, the Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC). Drawing upon his experience as a deputy attorney general, Ashley has developed an extensive consumer practice with regard to the consumer financial services industry.
Clay Friedman – Co-leader
Clay is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice. Informed by nearly a decade in a state attorneys general office, and more than 25 years in private practice, Clay spends much of his time representing clients in singular or multistate regulatory actions. Clay has repeatedly led teams before all 50 state attorneys general and also handles matters with the Federal Trade Commission, the Consumer Financial Protection Bureau, and other local, state and federal agencies.
Judy Jagdmann
Judy is a partner in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based in the Richmond office. She brings experience serving as chair and commissioner of the Virginia State Corporate Commission (VSCC) from 2006 through 2022, which includes regulating the utilities, insurance, banking, and securities industries. She also served as Virginia’s attorney general from 2005-2006.
Stephen Piepgrass
Stephen represents clients interacting with, and being investigated by, state attorneys general and other enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, particularly in heavily regulated industries.
Avi Schick
A former deputy attorney general of New York, Avi applies his experience in bet-the-company matters, representing clients in criminal and civil investigations and enforcement actions before state and federal regulators, prosecutors and enforcement agencies.
Michael Yaghi
Michael handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation.
Tim Bado
Tim is an attorney in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, with a primary focus on financial services litigation.
Chris Carlson
Chris represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general.
Natalia Jacobo
Natalia is an associate in the firm’s business litigation practice. She recently received her J.D from the University of California, Davis School of Law.
Namrata Kang
Namrata is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. Her work includes advising clients in regulatory investigations and compliance matters, in addition to representing clients in civil litigation matters.
Michael Lafleur
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
Susan Nikdel
Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes. Susan also represents banks, fintechs, and financial services companies in connection with regulatory examinations and investigations brought by the CFPB, state attorneys general, and the California Department of Financial Protection and Innovation.
John Sample
John represents clients in a wide variety of general and complex litigation matters, shareholder disputes, products liability, and privacy claims.
Whitney Shephard
Whitney is an attorney in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation.
Trey Smith
Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement practice. His experience includes serving as a summer associate at the firm in 2021.
Daniel Waltz
An experienced litigator, Daniel advises and represents regional, national and international companies, financial institutions and insurers in all facets of business, complex commercial and insurance coverage litigation. He is committed to working with his clients to find creative solutions to meet their needs.
Stephanie Kozol
Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department.