Ohio AG Sues DSW Over Notification in Data Breach

Ohio Attorney General Jim Petro filed a complaint against shoe retailer DSW Inc. on June 6 as a result of the firm's handling of a data breach that it first announced in March.

Filed in the Court of Common Pleas in Franklin County, OH, the suit alleges that DSW violated the state's Consumer Sales Practices Act through an unfair and deceptive act by failing to notify every consumer that had his or her data stolen.

DSW Shoe Warehouse parent Retail Ventures Inc. said March 8 that DSW suffered a data theft affecting 103 of its 175 U.S. stores. Though the number of consumers affected was not made public, reports cited Secret Service sources that put it around 100,000. Stolen data included credit card information and purchase data. On April 18, Retail Ventures, Columbus, OH, issued a statement based on an investigation of the breach saying 1.4 million credit card transactions and 96,000 check payments were discovered across 108 DSW stores. Security firm Ubizen conducted the investigation, though law enforcement continues to investigate the breach as well. A list of affected retail stores and more information for consumers are at www.dswshoe.com.

Information obtained from the credit card transactions included names, credit or debit card numbers and purchase amounts. The check transaction thefts divulged checking account numbers and driver's license numbers only. Retail Ventures said the stolen data did not include Social Security numbers, debit card personal identification numbers or addresses, and no Internet or loyalty program data were accessed.

The bulk of the affected transactions occurred from mid-November 2004 to mid-February 2005, Retail Ventures said. Stolen credit card numbers have been provided by the firm to American Express, Discover, Visa and MasterCard, which alerted the issuing banks. DSW is sending letters to the roughly half of the cardholders for whom it was able to obtain contact information. It also identified about 88 percent of the check customers and is notifying them as well.

Petro's filing asks the court to rule DSW's failure to notify all affected consumers a violation of state law and to order the firm to do so in writing.

Petro began asking that DSW notify all affected consumers in March after the breach was made public. He reiterated this request in April when the volume of stolen data was revealed. In a press release issued the day of the court filing Petro said, “As we have said repeatedly we see no reason why DSW, working with credit card companies and the underlying issuing banks, cannot arrange for direct notification of every affected consumer.”

In other news, DSW made a June 7 filing with the Securities and Exchange Commission that, among other things, set its pending initial public offering at 14.06 million shares of Class A common stock at a price of about $16 per share. DSW said in the filing, “We intend to use the net proceeds of this offering to repay $190 million of intercompany indebtedness owed to Retail Ventures and for working capital and other general corporate purposes. The intercompany indebtedness was incurred to fund dividends to Retail Ventures.”

The SEC filing also estimated the potential loss to Retail Ventures resulting from the data theft as of April 30 to be $6.5 million to $9.5 million. It went on to say, “We do not yet know what effect this incident may have on our customers' perception of us. Since the announcement of the theft, we have not discerned any negative effect on comparable store sales trends after accounting for the shifting Easter holiday. However, given the short time period involved, these recent trends may not be indicative of the long-term effects of the incident.”

Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters

Related Posts