New York Attorney General (AG) Letitia James and global movie theater operator National Amusements, Inc. (National) settled a lawsuit stemming from a 2022 data breach reported by National, which affected 82,128 National employees. As part of its settlement, National agreed to pay $250,000 in penalties to the state and to “improve existing cybersecurity infrastructure to prevent future data breaches.”

In its investigation, the Office of the Attorney General (OAG) determined that National “failed to implement strong data security, which left it vulnerable to a data breach” and “delayed telling affected employees of the breach for more than a year.” The information exposed by the breach included individuals’ names, dates of birth, social security numbers, passport numbers, financial account numbers, driver’s license numbers, and health insurance account numbers.

In addition to the regulatory investigation, class action lawsuits have been initiated against National in the Eastern District of Massachusetts. Plaintiffs have filed claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and invasion of privacy. Any dispositive rulings in the action are still pending.

Takeaways

The National settlement highlights the importance of an effective and thoughtful incident response strategy. The objective of an incident response should be to not only resolve the underlying cause of the security incident from a technical perspective, but to craft a narrative that demonstrates a company’s commitment to conducting a timely and reasonable investigation into the incident. This narrative is often shaped in the early stages of a response, starting with how quickly a company was able to react and what information was shared, if any, and with whom.

This can be challenging, as investigations, especially of National’s magnitude, can take time to complete. Organizations must balance the need, or desire, to share information quickly with concerns regarding the accuracy and completeness of information shared. Therefore, in the early stages of a response, it can be beneficial to establish communication channels with relevant parties, such as impacted groups and/or regulators, to demonstrate the company’s commitment to transparency and cooperation. This proactive approach can help shape a positive narrative about the organization’s response and may dispel false narratives or speculation often fueled by the unknown.

While there is no one-size-fits-all approach to incident response, a consumer-friendly strategy will certainly resonate well with both individual consumers and regulators.


Troutman Pepper State Attorneys General Team

Ashley Taylor – Co-leader and Firm Vice Chair
Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation.
Clay Friedman – Co-leader
Clayton is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice, multidisciplinary teams with decades of experience crafting effective strategies to help deter or mitigate the risk of enforcement actions and litigation.
Judy Jagdmann
Judy is a partner in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based in the Richmond office. She brings experience serving as chair and commissioner of the Virginia State Corporate Commission (VSCC) from 2006 through 2022, which includes regulating the utilities, insurance, banking, and securities industries. She also served as Virginia’s attorney general from 2005-2006.
Stephen Piepgrass
Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries.
Michael Yaghi
Michael is a partner in the firm’s State Attorneys General and Regulatory Investigations, Strategy + Enforcement (RISE) Practice Groups, nationwide teams that advise clients on consumer protection enforcement matters and other regulatory issues.
Samuel E. “Gene” Fishel
Gene is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) practice, based in the Richmond office. He brings extensive regulatory experience, having most recently served as senior assistant attorney general and chief of the Computer Crime Section in the Office of the Attorney General of Virginia, and as special assistant U.S. attorney in the Eastern District of Virginia for 20 years.
Chuck Slemp
Chuck advises clients on a wide range of complex issues that frequently involve government actions, including investigations, inquiries, regulatory matters, and litigation. With a distinguished background in the law and public service, he served as chief deputy attorney general of Virginia before joining the firm. In addition to overseeing the Department of Law and Division of Debt Collection, Chuck managed a team of attorneys who handle complex litigation and investigations. He also directed the attorney general’s legislative affairs and represented the attorney general in various capacities.
Tim Bado
Tim is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, where he represents corporations and individuals facing potential civil and criminal exposure. Tim’s experience in government investigations, enforcement actions, and white-collar litigation spans a number of industries, including financial services, pharmaceutical, health care, and government contracting, among others.
Jessica Birdsong
Jessica is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, magna cum laude, where she served as associate articles editor of the Journal of Law & Technology.
Chris Carlson
Chris Carlson represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general.
Blake R. Christopher
Blake collaborates with clients on matters related to government contracting, investigations, and disputes. His senior-level government experience generates valuable insights and strategies for clients across a variety of industries.
Natalia Jacobo
Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice. She focuses her practice on two primary areas: government contracting and state attorney general work.
Namrata Kang
Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising.
Michael Lafleur
Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general.
Susan Nikdel
Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes.
Lane Page
Lane specializes in federal and state regulatory investigations and complex civil litigation. He focuses on representing financial institutions and other businesses, with a particular emphasis on consumer protection and fair lending issues.
Trey Smith
Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice. He focuses his practice on helping financial institutions and consumer facing companies navigate regulatory investigations and resulting litigation.
Daniel Waltz
Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.
Cole White
Cole is a member of the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) group. He has a decade of experience working in the attorney general community, having joined the firm from the Wyoming Office of the Attorney General, where he was assistant attorney general.
Stephanie Kozol
Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department.