HARRISBURG, Pa. (WHTM) — Attorney General Josh Shapiro announced on Friday, Dec. 16 a settlement with a graduation memorabilia company after a data security event discovered in April 2021 exposed Pennsylvanians’ private information.

“Protecting Pennsylvanians’ personal information and financial data is a key priority of my office,” said AG Shapiro. “Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s personal data or they will have to answer to my office in court. The terms of today’s settlement will help Herff Jones graduate to better protection of consumers’ personal information.”

Herff Jones, producer and seller of yearbooks, class rings, caps and gowns, and other graduation memorabilia, was notified on April 7, 2021, by one of its payment processors that a number of cards tracing back to Sheriff Jones were found on three different websites known to sell stolen payment card data.

A forensic investigation revealed that on Dec. 15 202, an unknown hacker exploited a vulnerability in the company’s web servers that allowed them to steal customers’ payment card information and other personal information.

Herff Jones will pay $100,000 each to both the Pennsylvania and New York Attorneys General Offices.

“Herff Jones turned milestones into mayhem for thousands of students whose personal information was stolen online because of poor data security measures,” said New York Attorney General Letitia James. “Consumers who bought class rings and other graduation tokens had their personal information end up in the wrong hands. Companies have an obligation to prioritize their customer’s digital data safety and this agreement will require Herff Jones to strengthen its data security measures. I thank Pennsylvania Attorney General Shapiro for his collaboration in this effort.”

As quoted in the release, the settlement requires Herff Jones to maintain reasonable security policies designed to protect consumer personal information including:

  1.  Designating an employee to coordinate and supervise its information security program;
  2. Conducting security risk assessments of its networks that store personal information annually;
  3. Conducting annual employee training to inform employees who are responsible for handling private information about the company’s data security practices;
  4. Designing and implementing reasonable security measures for the protection and storing of personal information, including timely software patch updates, conducting penetration testing of its networks, and implementing reasonable access controls such as multi-factor authentication.
  5. Herff Jones must comply with PCI DSS and validate compliance by engaging a PCI Qualified Security Assessor to conduct an assessment resulting in the delivery of a PCI Report on Compliance and Attestation of Compliance.

The Pennsylvania investigation and settlement negotiations were handled by Senior Deputy Attorney General Tim Murphy.