As part of its settlement agreement with the attorneys general of Vermont, New York and California, Ziff Davis also agreed to implement security measures to safeguard data on its systems. Ziff Davis did not admit to any wrongdoing in the matter.
The investigation stemmed from a subscription promotion last November that Ziff Davis ran on its Web site for its Electronic Gaming Monthly magazine. Due to what Ziff Davis called a "coding error," the site exposed the personal data, including credit card numbers, of some of the customers who signed up for the promotion. Some of those whose information was exposed were the victims of identify theft, the attorneys general said.
For its part, Ziff Davis said it cooperated with the investigation and acted immediately to fix the security breach.
"We entered into an assurance agreement with the attorneys general, because we are confident in our security measures and fully committed to protecting our customers' rights and privacy," Jasmine Alexander, Ziff Davis' chief information officer, said in a statement. "We continue to take aggressive steps to ensure that all customer data on Ziff Davis Media's online network is not accessible to unauthorized parties."
Representatives for Ziff Davis and each of the attorneys general did not return calls seeking comment.
Ziff Davis will pay $500 to each of the approximately 50 customers whose credit card information it exposed in the breach, the New York Attorney General's Office said. The company will also pay the three states $100,000 total to cover their investigative costs, the Vermont Attorney General's Office said.
Ziff Davis agreed to use encryption and user authentication to safeguard customer data both when it's being transmitted to its Web site and when it is held on its servers, the attorneys general said.
Although the settlement amount was relatively small, the investigation into Ziff Davis' security breach represents a major step for online privacy, said Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center. Not only does it show that states are taking the lead in protecting consumers' privacy, but it also shows that companies are starting to be held liable for unintentionally violating customers' privacy, he said.
Dozens of such cases have happened in the past several years. Last year, for instance, a security breach atand exposed thousands of customer records.
"You're starting to see enforcement against privacy negligence, rather than just against intentional violations of privacy," Hoofnagle said. "That's pretty important."
Ziff Davis publishes PC Magazine, eWeek and seven other technology magazines. The company is unrelated to ZDNet, which is owned by CNET Networks, publisher of News.com.
Earlier this week, DoubleClick agreed to pay $450,000 to end a multistate investigation into its alleged violations of customers' privacy.