19 December 2022- Attorney General Josh Shapiro today announced a settlement with Herff Jones, LLC (“Herff Jones”) – producer and seller of yearbooks, class rings, caps and gowns, and other graduation memorabilia – after a data security event discovered in April 2021 exposed 30,295 Pennsylvania consumers’ payment card information. The investigation conducted by Attorney General Shapiro, in conjunction with the New York Attorney General’s office, revealed that Herff Jones failed to properly employ reasonable data security measures in protecting consumers’ payment card information. Herff Jones will pay $100,000 each to both the Pennsylvania and New York Attorneys General Offices.
“Protecting Pennsylvanians’ personal information and financial data is a key priority of my office,” said AG Shapiro. “Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s personal data or they will have to answer to my office in court. The terms of today’s settlement will help Herff Jones graduate to better protection of consumers’ personal information.”
Herff Jones was notified on April 7, 2021, by one of its payment processors that a number of cards tracing back to Herff Jones were found on three different websites known to sell stolen payment card data. The forensic investigation revealed that on December 15, 2020, an unknown hacker exploited a vulnerability in the company’s web servers that allowed them to steal customers’ payment card information and other personal information.
“Herff Jones turned milestones into mayhem for thousands of students whose personal information was stolen online because of poor data security measures,” said New York Attorney General Letitia James. “Consumers who bought class rings and other graduation tokens had their personal information end up in the wrong hands. Companies have an obligation to prioritize their customers digital data safety and this agreement will require Herff Jones to strengthen its data security measures. I thank Pennsylvania Attorney General Shapiro for his collaboration in this effort.”
A multistate investigation discovered that Herff Jones was not in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements. This standard is administered by the Payment Card Industry Security Standards Council to ensure cardholder data is processed in a secure environment.
The settlement requires Herff Jones to maintain reasonable security policies designed to protect consumer personal information including:
- Designating an employee to coordinate and supervise its information security program;
- Conducting security risk assessments of its networks that stores personal information annually;
- Conducting annual employee training to inform employees who are responsible for handling private information about the company’s data security practices;
- Designing and implementing reasonable security measures for the protection and storing of personal information, including timely software patch updates, conducting penetration-testing of its networks, and implementing reasonable access controls such as multi-factor authentication.
- Herff Jones must comply with PCI DSS and validate compliance by engaging a PCI Qualified Security Assessor to conduct an assessment resulting in the delivery of a PCI Report on Compliance and Attestation of Compliance.
The Pennsylvania investigation and settlement negotiations were handled by Senior Deputy Attorney General Tim Murphy.