May 20, 2022

Volume XII, Number 140

Advertisement
Advertisement

May 20, 2022

Subscribe to Latest Legal News and Analysis

May 19, 2022

Subscribe to Latest Legal News and Analysis

May 18, 2022

Subscribe to Latest Legal News and Analysis

If Your Disclosure of a Data Breach Was “Late,” You May Have to Litigate

A professional accounting firm in Illinois received an unwanted holiday “gift” in the form of a class action complaint stemming from its alleged failure to secure personally identifiable information (PII) and to timely notify affected parties of a data breach.

On December 17, 2021, a lawsuit was filed against Bansley & Kierner, LLP, which offers payroll and benefit services to businesses, by an employee of one of its clients, seeking damages on behalf of himself and others. According to the allegations of the complaint, Bansley failed to properly secure and safeguard a wide range of payroll and benefit plan participants’ PII, including names, dates of birth, Social Security numbers, drivers’ license and passport numbers, financial account numbers, and personal health information. Bansley apparently discovered in mid-December 2020 that its network had fallen victim to a ransomware attack by an “unauthorized person.” The complaint asserts that Bansley elected not to notify participants and clients of the incident at that time, instead choosing to address the incident on its own by making upgrades to some aspects of its computer security, restoring the impacted systems from backups, and then resuming normal business operations.

In May 2021, Bansley allegedly learned that PII had been exfiltrated from its network, and only then retained a cybersecurity company to investigate. Within three months, the investigators determined that individuals’ PII (including full names and SSNs) was present on the system and potentially stolen at the time of the 2020 incident. Over 274,000 individuals were affected. According to the complaint, however, Bansley did not notify state Attorneys General and participants about the data breach until late November or early December 2021, nearly a year after Bansley first became aware of the incident. The complaint further alleges that Bansley failed to explain the delay and did not properly disclose to plan participants the time period during which their PII had been exposed, though the firm did offer free credit monitoring services for a one-year period. Plaintiff claims that he and the potential class members were, and continue to be, at significant risk for identity theft and various other forms of personal, social, and financial harm due to Bansley’s negligence, including out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, or unauthorized use of PII and fees associated with fraudulent charges on their accounts.

These are as yet unproven allegations and it is unclear from the complaint whether, to date, any participants have actually experienced identity theft or fraud as a result of the breach. Nevertheless, the accounting firm will incur legal fees in defense of the lawsuit (in addition to what it has spent on remediation efforts), and the case underscores the importance of prompt investigation, reporting, and notification of data breach incidents.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XI, Number 355
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jean Tomasco, Robinson Cole Law Firm, Hartford, Labor and Employment, Litigation Law Attorney
Counsel

Jean Tomasco's practice involves employer counseling and employment litigation, with an emphasis on the Employee Retirement Income Security Act (ERISA) and benefits litigation. She is a member of the firm’s Health + Benefits Litigation Team and its Labor, Employment, Benefits + Immigration Group.

Employee Benefits and Compensation Litigation

Jean has more than two decades of experience handling benefit claims litigation. She represents insurers, managed care organizations, and employers in benefit...

860-275-8323
Advertisement
Advertisement
Advertisement