Jimmy John's announced in late September that customer payment card data may have been compromised in a security breach at over 200 of its stores between June and September. Illinois law requires companies to notify customers of credit and debit card breaches within a reasonable time. While Jimmy John's learned of the breach in late July, they did not publicly announce it until September. The Illinois Attorney General's office is investigating the breach at Jimmy John's to determine the source and appropriate response.

1. Jimmy John’s security breach latest test of consumer notice - Gate House Page 1 of 2
>
By Tim Landis Print Page
Business Editor
September 28. 2014 10:00PM
Jimmy John’s security breach latest test of consumer notice
Companies must provide notification to customers of credit and debit card security breaches within a reasonable time
under Illinois law.
In the case of Jimmy John’s, the sandwich chain learned July 30 of a data breach at more than 200 stores, but it wasn’t
announced until Wednesday. Restaurants at 3128 S. Sixth St. and 2925 Iles Ave. in Springfield were among stores hit,
according to the company.
“There’s a reason,” Illinois Attorney General Lisa Madigan told The State Journal-Register. “We don’t want to
undermine any type of criminal investigation. We want to be able to determine the source of the breach.”
Madigan’s office is leading an investigation into the Jimmy John’s security breach.
The Jimmy John’s location at 3128 S.
The two-month period between discovery and public announcement at Jimmy John’s is not uncommon, said Madigan,
Sixth St. was one of 216 Jimmy John’s
who is seeking re-election in November.
restaurants affected by a possible data
“Under Illinois law, they are required to provide notice within the most expedient time possible and without
breach. Jason Piscia/SJ-R
unreasonable delay,” she said.
Madigan said companies could face penalties if unnecessary delays were found or if insufficient steps were taken to protect consumer data. The Federal Trade
Commission also announced earlier this year it would seek more authority to enforce security improvements, including consumer-notification requirements.
Jimmy John’s, based in Champaign, said in an announcement that steps were taken to protect customers. Debit and credit card purchases made between June
16 and Sept. 5 were affected.
A message left with Jimmy John’s representatives was not returned Friday, but the company posted a statement on its website, jimmyjohns.com, that said the
breach was contained and customers could safely use debit and credit cards for purchases.
The company said login credentials for its point-of-sale system were stolen from a third-party vendor. Jimmy John’s has hired independent experts to
investigate the break-in, according to the statement.
“Jimmy John’s has taken steps to prevent this type of event from occurring in the future,” the statement said, “including installing encrypted swipe machines,
implementing system enhancements, and reviewing its policy and procedures for third-party information.”
Schnuck Markets Inc. in August reached a tentative settlement of a lawsuit resulting from a security breach at nearly 80 supermarkets in Missouri, Illinois,
Iowa and Indiana, including two stores in Springfield.
Approximately 2.2 million cards were affected.
The company declined further comment other than to point out consumers received regular updates, including through the website, a toll-free hotline and the
news media.
Jerry Bryan of Bryan Consulting Inc. in St. Louis said clients of the communications and technology firm are advised to get information out as quickly as
possible, including through social media, when there are problems with company products or services.
“It runs counter to what most corporate managers believe: ‘I can’t say anything because I don’t have all the facts,’” Bryan said. “By the time you know all the
facts, the public is blaming you.”
He said companies must help consumers understand that the companies also have been victimized, in this case by cybercriminals.
“Jimmy John’s had a security breach, and my first inclination is to think Jimmy John’s did this,” Bryan said. “Something has to make me slow down just
enough to realize somebody attacked Jimmy John’s.”
The Illinois attorney general’s office received more than 3,000 identity theft complaints in 2013, second only to 4,300 consumer debt complaints. Identity
theft has been the fastest-growing category in recent years.
Madigan said the question of consumer notification regularly comes up following a security breach but that consumers themselves remain the best defense
against identity theft.
“They should be watching their debit and credit card information,” Madigan said. “We’re encouraging them to have transaction alerts on credit and debit
cards. There are some very basic things that should just be part of their routine.”
***
Want more information?
http://www.sj-r.com/article/20140928/News/140929507?template=printart 10/27/2014

2. Jimmy John’s security breach latest test of consumer notice - Gate House Page 2 of 2
Jimmy John’s restaurant chain has posted information on the recent breach of credit and debit card purchases at jimmyjohns.com. Consumers who believe
their card was compromised also can call (855) 398-6442.
Additional information on identity theft is available from the Illinois attorney general’s office at illinoisattorneygeneral.gov or by calling the state identity theft
hotline at (866) 999-5630.
Contact Tim Landis: 788-1536, tim.landis@sj-r.com, twitter.com/timlandisSJR.
http://www.sj-r.com/article/20140928/News/140929507 Print Page
http://www.sj-r.com/article/20140928/News/140929507?template=printart 10/27/2014