If Your Disclosure of a Data Breach Was “Late,” You May Have to Litigate
A professional accounting firm in Illinois received an unwanted holiday “gift” in the form of a class action complaint stemming from its alleged failure to secure personally identifiable information (PII) and to timely notify affected parties of a data breach.
On December 17, 2021, a lawsuit was filed against Bansley & Kierner, LLP, which offers payroll and benefit services to businesses, by an employee of one of its clients, seeking damages on behalf of himself and others. According to the allegations of the complaint, Bansley failed to properly secure and safeguard a wide range of payroll and benefit plan participants’ PII, including names, dates of birth, Social Security numbers, drivers’ license and passport numbers, financial account numbers, and personal health information. Bansley apparently discovered in mid-December 2020 that its network had fallen victim to a ransomware attack by an “unauthorized person.” The complaint asserts that Bansley elected not to notify participants and clients of the incident at that time, instead choosing to address the incident on its own by making upgrades to some aspects of its computer security, restoring the impacted systems from backups, and then resuming normal business operations.
In May 2021, Bansley allegedly learned that PII had been exfiltrated from its network, and only then retained a cybersecurity company to investigate. Within three months, the investigators determined that individuals’ PII (including full names and SSNs) was present on the system and potentially stolen at the time of the 2020 incident. Over 274,000 individuals were affected. According to the complaint, however, Bansley did not notify state Attorneys General and participants about the data breach until late November or early December 2021, nearly a year after Bansley first became aware of the incident. The complaint further alleges that Bansley failed to explain the delay and did not properly disclose to plan participants the time period during which their PII had been exposed, though the firm did offer free credit monitoring services for a one-year period. Plaintiff claims that he and the potential class members were, and continue to be, at significant risk for identity theft and various other forms of personal, social, and financial harm due to Bansley’s negligence, including out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, or unauthorized use of PII and fees associated with fraudulent charges on their accounts.
These are as yet unproven allegations and it is unclear from the complaint whether, to date, any participants have actually experienced identity theft or fraud as a result of the breach. Nevertheless, the accounting firm will incur legal fees in defense of the lawsuit (in addition to what it has spent on remediation efforts), and the case underscores the importance of prompt investigation, reporting, and notification of data breach incidents.