BreachExchange mailing list archives
They're not fraud victims yet, but plaintiffs quickly sue Pompano Beach company over data breach
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 6 Aug 2018 20:03:36 -0500
http://www.sun-sentinel.com/business/fl-bz-complyright-data-breach-suit-20180803-story.html It didn’t take long for the lawyers to show up. A Pompano Beach-based business services company, ComplyRight, was sued in two separate federal court actions just days after notifying clients that their personal information was exposed in a data breach. The company sent letters to customers on July 13 stating that names, addresses, telephone numbers, email addresses and Social Security numbers were “accessed and/or viewed” in what it called “unauthorized access” of its website between April 20 and May 22. It said it was unaware of any identity fraud resulting from the breach and told letter recipients they were entitled to 12 months of free credit monitoring. A week after sending the letter, five Chicago attorneys sued the company in the Northern District of Illinois on behalf of Susan Winstead, identified in the suit only as a resident of Illinois. Winstead received a letter from ComplyRight on July 17, three days before the suit was filed on July 20, the suit said. The suit cites a nearly two-month lag between when ComplyRight said it discovered the data breach and when it sent the notification letters, saying the company kept the incident secret during its forensic investigation and gave the data thieves three months since the breach began “to perpetuate fraud … with no victim aware of the threat.” The number of victims is unknown, the suit said, but “Plaintiff has reason to believe that the number of impacted individuals is very large.” On July 26, Fort Lauderdale attorney Seth M. Lehrman of the firm Edwards Pottinger LLC filed a suit in U.S. District Court in Fort Lauderdale on behalf of plaintiffs Robert Bohannon of Granger, Ind., and Holly Buckingham of Woodbine, Md. The suit did not claim that identity thieves had impersonated Bohannon or Buckingham, or that they had suffered financial damages beyond the fact that “Buckingham has spent at least two business days expending effort to ensure her Personal Information is not used by the hackers and that her identity is not stolen.” Bohannon and Buckingham were “injured,” the suit stated, because ComplyRight “failed to adequately safeguard” their personal information. Likewise, Winstead and other members of the class suffered “injuries and damages” because they are now at increased risk of identity theft and fraud and because of expenses and the value of their time spent mitigating the increased risk of fraud. None of the attorneys responded to emails from the Sun Sentinel seeking comment about the suit. ComplyRight also did not respond to requests to discuss this story, or the initial report about its data breach notifications. ComplyRight, identified in the suits as a Minnesota company with its principal place of business in Pompano Beach, provides human resources services for small businesses and told victims their information would have been in the company’s online database because it was entered on tax forms by employers or payers, including Forms 1099 and W-2. Both suits seek certification as class actions, damages to the plaintiffs and other class members, and plaintiffs’ attorneys fees, costs and expenses. These days, it’s common after data breaches make the news for plaintiffs’ attorneys to engage in “a race to the courthouse” to file class-action suits even before plaintiffs are victimized by identify theft in hopes that defendants will opt to settle rather than litigate, said Nathan Taylor, a cybersecurity attorney with Morrison Foerster LLP in Washington, D.C. “Plaintiffs’ attorneys want to get there before other plaintiffs’ attorneys,” Taylor said. He said more courts are denying motions by defendants to dismiss class-action data breach cases on grounds that plaintiffs lack standing because they haven’t yet suffered damages from identity fraud. Courts are increasingly agreeing with plaintiffs that time spent by data breach victims enrolling in credit monitoring services, calling credit cards companies, and dealing with paperwork has a monetary value, according to an April blog entry by Morrison Foerster attorneys Tiffany Cheung and Morgan Donoian MacBride. When motions to dismiss are denied, defendants will choose to settle rather than proceed to trial in nearly all cases, Taylor said. Notable settlements in recent years include $115 million agreed to by health insurer Anthem Inc. last year after a breach compromised almost 80 million customers, and $19.5 million that Home Depot agreed to pay to compensate customers affected by a 2014 breach. Last year, Home Depot agreed to pay $27 million to affected credit card companies. Taylor said he is unaware of any data breach lawsuit that resulted in a trial over the question of defendants failing to adequately secure their customers’ information. “Companies don’t want to go to trial against their customers,” he said. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- They're not fraud victims yet, but plaintiffs quickly sue Pompano Beach company over data breach Destry Winant (Aug 07)