Visionworks will pay the state of Maryland $100,000 to settle a lawsuit over alleged data breaches the company had in 2014, state Attorney General Brian Frosh said on Wednesday.
More than 72,000 state residents were affected by the data breaches, Frosh said. The investigation by Frosh’s office revealed the company didn’t secure customers’ personal information securely when it upgraded to a fully encrypted server in Annapolis and Jacksonville, Florida.
The old servers with the information on it were left unsecured, and it left the names, addresses, birthdates and purchasing histories of its customers vulnerable. About three days of credit card data was also on the servers, which were “accidentally misplaced and are believed to have been taken to landfills,” Frosh said.
There wasn’t any evidence that the information was compromised, but Visionworks notified customers that were affected and offered a year of free credit monitoring.
"Devices that contain personal information must be properly secured and discarded. Otherwise, the door is open for data to fall into the wrong hands," Frosh said. "This case should put businesses on notice that they need to be vigilant on behalf of their customers."
In addition to the monetary fine, the company also agreed to improve its security practices, and will extend the freed credit monitoring to customers that contact the business or the Consumer Protection Division within the next two years.