Consumer Electronics Daily was a Warren News publication.
No Direct Notice

PSC Removes Ore. Negligence Suit Over May Data Breach to District Court

MOVEit file transfer software owner Progress Software Corp. (PSC) inadequately safeguarded class members' private information it maintained and failed to provide timely and adequate notice of its May data breach to plaintiffs and class members, alleged a September class action (docket 6:23-cv-01532) PSC removed Wednesday to U.S. District Court for Oregon in Eugene. The negligence case was filed Sept. 13 in Oregon’s Marion County Circuit Court against PSC and Oregon’s Department of Transportation (ODOT).

Plaintiffs Caery Evangelist and Brian Els, Oregon residents, allege a critical “zero-day” flaw in MOVEit led to “a wave of cyberattacks” by Russian cybergang Clop against organizations that collected the personally identifiable information (PII) of plaintiffs and the class, including that held by ODOT. The data breach affected 3.5 million “similarly situated” individuals’ names, addresses, license or identification numbers and the last four digits of their Social Security numbers, said the complaint.

As of the Sept. 13 complaint, PSC and ODOT had't sent direct notice of the breach “to those impacted,” giving criminals a “head start” on using plaintiffs’ and class members' PII “for nefarious purposes,” the complaint said. Armed with their PII, data thieves can open financial accounts and take out loans in class members’ names, use their information to obtain government benefits, file fraudulent tax returns and obtain driver’s licenses with another person’s photograph, it said.

Evangelist and Els entrusted their PII to ODOT, which then provided it to PSC, said the complaint. Both defendants “willingly accepted the responsibility" to adequately secure, safeguard and maintain plaintiffs' PII, it said. There has been “no assurance offered by PSC nor ODOT that PSC adequately enhanced its data security practices sufficient to avoid a similar vulnerability in its MOVEit Transfer products and services in the future,” it said. ODOT hasn't said it will sever its relationship with PSC, “nor that it is even evaluating its relationship” with the software company, it said.

ODOT knew if it didn't select a vendor with adequate data security that plaintiffs’ PII would be unlawfully exposed, said the complaint, and PSC was “on notice” that failing to take necessary steps to secure the PII it possessed “left it vulnerable to an attack” and class members’ PII at risk, it said.

The information stolen in the data breach is “especially egregious because the PII stolen cannot be easily changed or replaced,” said the complaint. ODOT says it won't change a victim’s driver’s license or ID number “unless there is proof that [their] name and number were used in committing a fraudulent act,” it said. Plaintiff Evangelist and the class, who were required to disclose their PII to ODOT to receive a driver’s license or ID card, received notice of the data breach from ODOT via public announcements on the internet, on TV or radio. Defendants haven't provided remedial services, such as free credit monitoring, to those affected by the breach, the complaint said. Evangelist estimates she spent 20 hours addressing the breach.

Similarly, plaintiff Els received notice of the breach via public announcements and also spent about 20 hours addressing its “fallout,” via research of the event, reviewing credit reports and financial statements for fraud, and researching credit monitoring and identity theft protection services, the complaint said. Plaintiffs and the class will have to "expend additional time and funds to review their credit reports and monitor their accounts for the rest of their lives,” it said.

In addition to negligence, plaintiffs assert claims of breach of third-party beneficiary contract, unjust enrichment and violation of Oregon’s Unlawful Trade Practices Act (UTPA) and Drivers Privacy Protection Act (DPPA), the complaint said. They seek orders providing injunctive relief; requiring defendants to provide funds for lifetime credit monitoring and identity theft insurance for them and the class; and requiring defendants to pay the costs of notifying class members about the judgment and administering the claims process. They seek awards of pre- and post-judgment interest; actual, statutory and nominal damages; reasonable attorneys’ fees and costs; and other relief deemed “just and proper” by the court.

PSC denies plaintiffs will be able to satisfy the standards for class certification, said the removal notice, because 1) it involves a putative class action, (2) a member of the class is a citizen of a state different from PSC, which is incorporated in Delaware and has its principal place of business in Massachusetts, (3) the number of proposed class members is 100 or more out of a likely class of “3.5 million” individuals, and (4) the amount in controversy as pled tops $5 million.

Identity-protection agencies Equifax, LifeLock and Experian advertise monthly rates for credit-monitoring from $7.50-$24.99 per person, which would bring the amount in controversy for monitoring for one year to about $315 million, said PSC. Plaintiffs seek lifetime monitoring, which would exceed the $5 million threshold, it said. Under the UTPA, plaintiffs are entitled to recover actual or statutory damages of $200, whichever is more, it said. With a putative class of 3.5 million, damages could reach up to $700 million under the UTPA and $8.75 billion under the DPPA, it said.