Failure to Inform Promptly of Data Breach
People were shocked to hear of the data breach at Equifax, the possessor of an enormous amount of personal and credit account information (PII/CAI) for tens of thousands of people. The complaint for this class action claims that the company was negligent in its measures to protect the information, thus violating the requirements of the Fair Credit Reporting Act (FCRA) and Driver’s Privacy Protection Act (DPPA). In addition to the burden of placing “freezes” and “alerts” with agencies, closing or modifying accounts, and monitoring credit reports and accounts, the complaint alleges that victims of data breaches can be subject to serious harm—drained bank accounts, medical treatments on the victim’s insurance, charges on credit cards, fraudulent obtaining of government benefits in the victim’s name.
Shorter University is settling a class action alleging that the personally identifiable information (PII) and protected health information (PHI) of certain current and former students was stolen or exposed because of a September 2014 theft of documents at the Winthrop-King Centre on Shorter’s campus.
On August 7, 2017, news broke that the HighPoint Solutions Human Resource Director, Christine Cushman, had stolen nearly a million dollars from the company, over a period of two years, by using others’ PII (private individual information) that the company had on file. According to the complaint, Cushman had made forty-five false payroll payments, purportedly to subcontractors, but in actuality depositing the payments into her own account. The complaint alleges that HighPoint breached its duty to properly safeguard PII, failed to put in place proper internal controls and supervisory systems to monitor Cushman, and failed to follow appropriate industry practices for PII storage and protection, among other things. It also claims that HighPoint bears responsibility for Cushman’s actions through the principle of Respondeat Superior.
Tempur Sealy sells its products to consumers through the Tempurpedic.com website. Until October 2016, its website and online payment system was handled through Aptos, a company that provides what the complaint calls “retail enterprise management solutions,” such as point of sale, analytics, and order management. According to the complaint, in February 2016, someone breached Aptos’s systems and installed malware to capture payment card and other information for forty online retailers, including Tempur Sealy. The complaint claims that not only should the information not have been obtainable, but that Aptos and Tempur Sealy were both remiss in not informing customers immediately.