Failure to Inform Promptly of Data Breach
On August 7, 2017, news broke that the HighPoint Solutions Human Resource Director, Christine Cushman, had stolen nearly a million dollars from the company, over a period of two years, by using others’ PII (private individual information) that the company had on file. According to the complaint, Cushman had made forty-five false payroll payments, purportedly to subcontractors, but in actuality depositing the payments into her own account. The complaint alleges that HighPoint breached its duty to properly safeguard PII, failed to put in place proper internal controls and supervisory systems to monitor Cushman, and failed to follow appropriate industry practices for PII storage and protection, among other things. It also claims that HighPoint bears responsibility for Cushman’s actions through the principle of Respondeat Superior.
Tempur Sealy sells its products to consumers through the Tempurpedic.com website. Until October 2016, its website and online payment system was handled through Aptos, a company that provides what the complaint calls “retail enterprise management solutions,” such as point of sale, analytics, and order management. According to the complaint, in February 2016, someone breached Aptos’s systems and installed malware to capture payment card and other information for forty online retailers, including Tempur Sealy. The complaint claims that not only should the information not have been obtainable, but that Aptos and Tempur Sealy were both remiss in not informing customers immediately.