Exposing Private Information
This class action on the Equifax data breach is being brought by Gulf Winds Federal Credit Union, on behalf of financial institutions that have suffered losses. According to the complaint, Gulf Winds has had to address Compromised Account Management System (CAMS) alerts about customer credit card accounts, and it has incurred expenses in cancelling and reissuing many of its credit cards and in monitoring affected credit cards. In addition, the complaint alleges, it has had to spend time talking to affected customers, adding to fraud oversight measures, working to prevent fraud on consumer accounts, and helping members reduce potential damages, and these measures will likely have to continue for years to come.
Sonic acknowledges that it experienced a data breach that exposed the PII, credit card numbers, and other information of approximately five million customers that could allow criminals to make fraudulent charges to their accounts. The complaint for this class action alleges that it was Sonic’s negligence that enabled the data breach. Other chains, such as Wendy’s and Chipotle, have experienced data breaches recently which the complaint alleges should have put Sonic on notice. However, the complaint alleges, the system Sonic was using was in fact thirty years old, and while the company was working to update it, some locations were still on the old system.
People were shocked to hear of the data breach at Equifax, the possessor of an enormous amount of personal and credit account information (PII/CAI) for tens of thousands of people. The complaint for this class action claims that the company was negligent in its measures to protect the information, thus violating the requirements of the Fair Credit Reporting Act (FCRA) and Driver’s Privacy Protection Act (DPPA). In addition to the burden of placing “freezes” and “alerts” with agencies, closing or modifying accounts, and monitoring credit reports and accounts, the complaint alleges that victims of data breaches can be subject to serious harm—drained bank accounts, medical treatments on the victim’s insurance, charges on credit cards, fraudulent obtaining of government benefits in the victim’s name.
This settlement resolves a class action that alleges that American Media, Inc. and Odyssey Magazine Publishing Group, Inc. violated Michigan’s Preservation of Personal Privacy Act by disclosing customers’ subscription information to third parties.
Shorter University is settling a class action alleging that the personally identifiable information (PII) and protected health information (PHI) of certain current and former students was stolen or exposed because of a September 2014 theft of documents at the Winthrop-King Centre on Shorter’s campus.
PNI Digital Media, ULC has agreed to settle a class action concerning a data breach that took place between June 2014 and July 2015, which allowed access to customer payment card data and other information. The class action alleged that PNI violated Georgia’s data breach laws and that it was guilty of negligence, among other things.
On August 7, 2017, news broke that the HighPoint Solutions Human Resource Director, Christine Cushman, had stolen nearly a million dollars from the company, over a period of two years, by using others’ PII (private individual information) that the company had on file. According to the complaint, Cushman had made forty-five false payroll payments, purportedly to subcontractors, but in actuality depositing the payments into her own account. The complaint alleges that HighPoint breached its duty to properly safeguard PII, failed to put in place proper internal controls and supervisory systems to monitor Cushman, and failed to follow appropriate industry practices for PII storage and protection, among other things. It also claims that HighPoint bears responsibility for Cushman’s actions through the principle of Respondeat Superior.
The Neiman Marcus Group is settling a class action alleging that it was negligent and otherwise in violation of its duties in the case of a recent data breach. In January 2014, the company announced that it had experienced a data breach that exposed payment card information of customers who had made purchases at several of its stores.
Tempur Sealy sells its products to consumers through the Tempurpedic.com website. Until October 2016, its website and online payment system was handled through Aptos, a company that provides what the complaint calls “retail enterprise management solutions,” such as point of sale, analytics, and order management. According to the complaint, in February 2016, someone breached Aptos’s systems and installed malware to capture payment card and other information for forty online retailers, including Tempur Sealy. The complaint claims that not only should the information not have been obtainable, but that Aptos and Tempur Sealy were both remiss in not informing customers immediately.
According to the complaint, Deep Root collected PII on nearly 200 million Americans, including their names, addresses, e-mail addresses, dates of birth, browsing history, and voter ID numbers. The information allegedly included sensitive information analyzing where voters stood on controversial issues such as gun control and abortion, as well as information the RNC had had collected by other data analytics contractors from the 2008 and 2012 elections.