Noodles & Co. Suffers Data Breach

Legal Article

Noodles & Co. Suffers Data Breach

Data breaches aren’t just for the healthcare industry or the financial services industry. For example, Noodles & Co. suffered a data breach.

There has been a new rash of data breaches at retail businesses such as home improvement stores and casual restaurants.  Krebs on Security has information on one of the most recent data breaches announced at the fast-casual restaurant Noodles & Co.

Asked to comment on the reports, Broomfield, Colo.-based Noodles & Company issued the following statement:

We are currently investigating some unusual activity reported to us Tuesday, May 16, 2016 by our credit card processor. Once we received this report, we alerted law enforcement officials and we are working with third party forensic experts. Our investigation is ongoing and we will continue to share information.

Brian Krebs — one of the leaders of data breach announcements on the internet — noted the close proximity to the recent Wendy’s data breach as well.

All companies that process consumer data, including credit card, social security numbers, or even address and phone numbers, should be protecting that information. Unfortunately, even highly successful companies with resources to combat online hackers too often fail to take proper steps to secure this information.

Data Breach Laws in DC

In DC, data breach and privacy laws apply to every individual or business that maintains, possesses, or handles information that they do not own. This includes social security numbers, driver’s licenses or state-issued ID card numbers, and debit or credit card account numbers. The District of Columbia classifies a breach of data as any unauthorized attainment of computerized or other electronic data. This classification extends to any equipment storing the data. One distinction is that employees or agents who gain access to this protected information are excluded from the data breach laws.

In DC, a company that experiences a data breach must communicate this breach to those whose data may have been compromised as soon as possible. There is not a strict timeline on how long companies have to notify their customers after a breach, however, consumers must be notified in writing or electronically as soon as reasonably possible. One exception to the written or electronic notification method is that if it would cost a company over $50,000 to notify their clients or they have over 100,000 clients to notify, they may tell their customers of a data breach through different means. Finally, companies that experience data breach violations in DC could face up to a $100 fine per violation.