Consumer Electronics Daily was a Warren News publication.
'Complex and Time-Consuming'

Dish's 3-Month Delay in Notifying Former Employees of Breach Heightened Risk: Suit

June 26, 2023 by Rebecca Day|Top News

Dish’s February data breach was a direct result of its “flawed online system configuration and design” and its “failure to implement and follow basic security procedures,” alleges a Tuesday class action (docket 1:23-cv-01556) in U.S. District Court for Colorado in Denver. From Feb. 22 to Feb. 27, unauthorized third-party hackers began accessing and exfiltrating the private information of customers and current and former employees, said the complaint.

Plaintiff Ritha Fulmore, a North Carolina resident and former Dish employee, received word of the data breach in a letter dated May 17 informing her that her private information had been compromised. Though Dish informed consumers in March about the breach, it didn’t mail notices to its current and former employees affected by the breach until mid-May, said the complaint.

In the May 17 letter, Dish told former employees that records and information of some former employees, family members and other individuals were among the data extracted. The process of locating personal information in the stolen dataset “and matching that information to individuals” for notification “was complex and time-consuming,” said the letter, saying that work was completed May 8.

The nearly three-month delay in notification deprived Fulmore and class members of the ability to mitigate potential damages, said the complaint. Because the breach compromised Fulmore’s name, address, phone number, birth date, gender and social security number, “she faces a substantial and imminent risk of fraud and identity theft,” it said.

Dish failed to fulfill its obligation to protect the personal information of class members, said the complaint. The company should have known “hackers and cybercriminals would be able to commit identity theft, financial fraud, phishing, socially engineered attacks, healthcare fraud, and other identity-related fraud if they were able to exfiltrate that data from Dish’s systems,” it said.

Cybersecurity firms have promoted best practices that companies should implement to protect personal information, including installing appropriate malware detection software; monitoring and limiting network ports; protecting web browsers and email management systems; setting up network systems such as firewalls, switches and routers; monitoring and protecting physical security systems; and training staff on critical points, said the complaint. Organizations such as Dish have “added incentive to harden their networks against unauthorized penetration, because they directly control the data necessary to access consumers’ financial accounts,” it said.

The FTC established guidelines for fundamental data and cybersecurity principles for businesses, including disposing of personal information no longer needed, encrypting stored information, understanding their networks’ vulnerabilities and implementing policies to correct security problems, the complaint said. Guidelines also recommend businesses use an intrusion detection system to expose a breach “as soon as it occurs," it said.

Plaintiff claims negligence, breach of implied contract, breach of confidence, invasion of privacy and intrusion upon seclusion. Fulmore seeks for herself and the class declaratory and injunctive relief; compensatory, consequential, statutory, restitution and treble damages; an order requiring Dish to strengthen its data security and monitoring, submit to annual audits, provide several years of free credit monitoring and identity theft insurance to class members; and an order to destroy legacy consumer data that’s not necessary to keep for business purposes. She also seeks an award of attorneys’ fees, legal costs and pre- and post-judgment interest.