Consumer Electronics Daily was a Warren News publication.
'Critical Facts' Missing

Citrix, Comcast Failed to Protect Customer Data, Say 3 More Class Actions

Two of three negligence class actions filed last week against Comcast over an October data breach also included software provider Citrix, which notified the internet service provider Oct. 10 of the vulnerability in one of its products Comcast uses. Comcast began notifying its customers of the breach Dec. 18 after conducting an investigation into the scope of the incident and determining there had been “unauthorized access” to some of its internal systems as a result of the breach, said the complaints.

Veronica Verdier of Pemberton, New Jersey, sued Comcast and Citrix Thursday in U.S. District Court for Eastern Pennsylvania in Philadelphia (docket 2:23-cv-05137), saying unauthorized third-party cybercriminals gained access to her personally identifiable information (PII) between Oct. 16 and Oct. 19 “with the intent of engaging in the misuse of the PII, including marketing and selling” her and class members’ PII, said the complaint.

The defendants' disregarded Verdier’s rights by “intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures” to safeguard her PII, take available steps to prevent unauthorized disclosure of her data, and follow required protocols regarding the encryption of data, the complaint said.

Verdier has suffered actual injury in the form of damages to and diminution in the value of her PII and has suffered increased anxiety for her loss of privacy and the impact of cybercriminals accessing, using and selling her PII, the complaint said. She and class members remain “in the dark regarding what particular data was stolen, the particular malware used, and what steps are being taken, if any, to secure their PII going forward,” it said.

Defendants could have prevented the data breach by adequately securing and encrypting its servers, plus plaintiff and class members’ PII, the complaint said. Despite public announcements of recent data breaches, defendants failed to prevent Verdier’s PII from being compromised, it said.

Verdier asserts claims of negligence, breaches of implied contract and implied covenant of good faith and fair dealing, and unjust enrichment, the complaint said. She seeks orders requiring defendants to implement and maintain a comprehensive information security program and preventing them from maintaining her and class members’ PII on a cloud-based database. She also seeks an award for actual, nominal and consequential damages; attorneys’ fees and costs; and pre- and post-judgment interest.

Enrique Munoz, an Illinois resident, received notice from Comcast, Dec. 20 informing him of the data breach, said his Wednesday class action (docket 1:23-cv-17096) vs. Comcast in U.S. District Court for Northern Illinois in Chicago. “Significant” PII was included in the breach, including usernames, passwords, contact information, last four digits of Social Security numbers and secret questions for verification, said the complaint.

As a result of Comcast’s “failure to properly and timely notify their customers" of the full extent of the data breach, members of the class have not had the opportunity to fully protect themselves and take any specific precautions related to the breach, said the complaint. Munoz and class members are at a “very high risk of misuse” of their PII in coming months and years, including unauthorized access by third-party services and identity theft through use of his PII to open accounts, the complaint said.

To Munoz’s knowledge, Comcast “has made no changes to its data storage or security practices relating to the PII,” said the complaint. The ISP has also made no announcement that it has “remedied any and all vulnerabilities and negligent data security practices” that led to the breach, it said.

In addition to negligence, Munoz asserts claims of breach of confidence; invasion of privacy by public disclosure of private facts and intrusion upon seclusion; breach of contract and implied contract; unjust enrichment, and violations of Illinois’ Consumer Fraud and Deceptive Business Practices and Uniform Deceptive Trade Practices acts, the complaint said.

Munoz seeks orders enjoining Comcast from engaging in the wrongful acts and omissions described in the complaint; plus awards of compensatory, actual and punitive damages; attorneys’ costs and legal fees; and interest, the complaint said.

Brittany Hammond of Sicklerville, New Jersey, and Tamia Charles, of Alexandria, Virginia, brought their class action (docket 0:23-cv-62409) in U.S. District Court for Southern Florida in Fort Lauderdale against Comcast and Citrix for failing to safeguard their PII. Both received email notices about the breach from Comcast dated Dec. 18, they said.

Omitted from the notice letter were details of the root cause of the data breach, the vulnerabilities exploited and any remedial measures undertaken to ensure such a breach doesn’t happen again, said the complaint. The disclosure “amounts to no real disclosure at all, as it fails to inform, with any degree of specificity,” the “critical facts” that plaintiffs need to mitigate harms resulting from the breach, it said.

The defendants had a legal duty to adopt reasonable measures to protect plaintiffs’ and class members’ PII from “involuntary disclosure to third parties,” the complaint said. “Moreover, Comcast had a duty to audit, monitor, and verify the integrity of its IT vendors and affiliates,” it said. Plaintiffs now face “years of constant surveillance of their financial and personal records,” it said.

Plaintiffs and class members’ injuries resulting from the breach include invasion of privacy; theft and diminished value of their PII; lost time and opportunity costs associated with attempting to mitigate the consequences of the breach; an increase in spam calls, texts, and emails; and increased risk to their PII, which remains unencrypted and available for unauthorized third parties to access and abuse, the complaint said.

Hammond and Charles assert claims of negligence and negligence per se; breaches of implied contract and third-party beneficiary contract; unjust enrichment; and violations of the Florida Deceptive and Unfair Trade Practices and New Jersey Consumer Fraud acts, the complaint said.

Plaintiffs seek orders enjoining the defendants from engaging in the wrongful conduct described in the complaint and requiring them to provide out-of-pocket expenses associated with the prevention, detection and recovery from identity theft, tax fraud and unauthorized use of their PII for their “respective lifetimes,” it said. Plaintiffs seek actual, nominal statutory, consequential and punitive damages, attorneys’ fees and legal costs, plus prejudgment interest, it said. Comcast didn’t comment.