According to a report by Bloomberg Law, e-commerce services vendor Freestyle Solutions Inc. failed to convince a federal court judge in New Jersey to totally dismiss a lawsuit by Penn LLC (PulseTV).
The lawsuit stemmed from a data breach affecting more than 236,000 customers of PulseTV whose payment card data was compromised in a breach that continued for more than one year. PulseTV first became aware of any issue in March 2021 when notified by a third party that they were a Common Point of Purchase, but it was unable to find or confirm any breach. It continued investigating after receiving a additional CPC notifications in October of 2021, and it retained Kroll in January 2022 to help investigate.
From the ruling’s summary, it appears that Freestyle’s web server had been compromised by malware as early as September 9, 2020, and:
According to the Complaint, Defendant failed to comply with the PCI standards by neglecting to create and retain backups, failing to implement file integrity monitoring, and lacking a change-detection mechanism to alert personnel to unauthorized access to its network. ( Id. ¶¶ 63, 65, 73.) Plaintiff alleges that, if Defendant had complied with the PCI standards, it would have been able to detect and timely resolve the data breach. ( Id. ¶ 73.) Instead, the data breach was able to persist from September 2020 until February 3, 2022, which allegedly caused Plaintiff and its customers harm in several ways: data belonging to Plaintiff’s customers is now located on the dark web, which means it is available for sale to bad actors with nefarious and illegal purposes,
Freestyle will not have to defend against any negligence claims, but will have to defend claims concerning its allegedly misleading language about PCI DSS compliance and security.