Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Pennsylvania: AG reaches $100,000 settlement with Herff Jones over data security violations

The Pennsylvania Attorney General ('AG') announced, on 16 December 2022, that they had reached a $100,000 settlement with Herff Jones, LLC ('Herff Jones') for its failure to properly employ reasonable data security measures in protecting consumers' payment card information. In particular, the investigation carried out revealed that Herff Jones was not in compliance with the Payment Card Industry Data Security Standard ('PCIDSS') requirements.

Furthermore, the settlement requires Herff Jones to maintain reasonable security policies designed to protect consumer personal information, which include:

  • designating an employee to coordinate and supervise information security programs;
  • conducting annual security risk assessments of networks storing personal information;
  • conducting annual employee training to inform employees who are responsible for handling private information about the company's data security practices; and
  • designing and implementing reasonable security measures for the protection and storing of personal information (e.g. conducting penetration-testing of its networks and implementing reasonable access controls).

Lastly, in light of the settlement, Herff Jones must comply with the PCIDSS and validate compliance by engaging a qualified security assessor who will conduct an assessment and deliver a report and attestation of compliance.

You can read the press release here and the settlement here.