Skip to content

Blumenthal Urges Zappos to Provide Credit Freeze and Monitoring for Customers

(Hartford, CT) – Senator Richard Blumenthal (D-CT) today wrote to Zappos, an online shoe and apparel retailer, following a recent data security breach, to urge the company to provide customers with two years credit monitoring and a credit freeze, and to cover costs for its customers whose data was compromised following the breach.

Blumenthal writes in the letter, “Although consumers’ financial information was not accessed during the breach, enterprising criminals can leverage information like names, addresses, email addresses, and other breached information to gain access to consumers’ accounts and commit identity theft and fraud. Therefore, I request that Zappos provide its customers with the option of receiving two years of credit monitoring and a credit freeze, as well as any costs resulting from the security breach, to be paid for by Zappos.”

Blumenthal is a co-sponsor of the Personal Data Protection and Breach Accountability Act, a bill to protect consumers from threats to their sensitive personally identifiable information and safeguard data security. The bill seeks to help to ensure companies take adequate steps to protect individuals from data breaches before they occur, to promote information sharing between companies to help prevent future breaches, and to provide remedies to consumers in the wake of data breaches.       

The full text of the letter is below:

Tony Hsieh
Chief Executive Officer
Zappos
2280 Corporate Circle
Henderson, NV 89074 

Dear Mr. Hsieh:

            I am writing regarding a security breach of Zappos. According to information provided by your company, Zappos experienced a security breach of customer information following an attack on one of its servers. In addition to the impact that a security breach has on a company, there is also an impact on the company’s customers, whose information is compromised by the security breach.

            Although it is unlikely that we will be able to prevent all security breaches, there are steps companies can take to minimize the negative impacts breaches have on consumers. These steps include encrypting customers’ data to ensure that it is unusable even if it is accessed, promptly notifying customers of a breach, and providing appropriate remedies to consumers in order to make them whole following a breach.

            I am pleased that your company appears to have employed strong data security practices, including encrypting passwords and storing financial information on separate servers, which were not breached. I also applaud Zappos for taking the proactive step of disabling all account passwords to prevent unauthorized access. 

            Although consumers’ financial information was not accessed during the breach, enterprising criminals can leverage information like names, addresses, email addresses, and other breached information to gain access to consumers’ accounts and commit identity theft and fraud.

            Therefore, I request that Zappos provide its customers with the option of receiving two years of credit monitoring and a credit freeze, as well as any costs resulting from the security breach, to be paid for by Zappos. I believe these remedies provide an excellent safety net for consumers whose data, through no fault of their own, has been compromised and accessed by cybercriminals. 

            I want to commend you for implementing several strong data security practices. Unfortunately, too few companies employ these practices, which is why I have introduced S. 1535, the Personal Data Protection and Breach Accountability Act. This bill mandates such protections, along with the remedies I have called for above, for security breaches of sufficient size.

            I hope you consider my request to provide these remedies to your customers, and I hope other companies will follow your example in the event of a security breach.

 Sincerely,

 Richard Blumenthal
United States Senate

###