Financial Firm's Practices Left Customers' PII 'Vulnerable to Cyberattacks': Class Action
Financial Risk Mitigation (FRM) maintained customers’ personally identifiable information (PII) on its computer network in a condition “vulnerable to cyberattacks,” alleged a class action Wednesday (docket 2:24-cv-00025) in U.S. District Court for Eastern Louisiana in New Orleans.
Daniel Bednyak of Highland Park, Illinois, wouldn't have entrusted his PII to FRM if he had known the company would not adequately protect it, said the complaint, citing a Dec. 7 notice he received about a Sept. 29 “security incident.” The letter informed data breach victims that FRM became aware of “unusual activity” on a computer in its network Sept. 29 when there was “unauthorized access” to certain FRM systems Sept. 28-29, it said.
On Nov. 10, FRM determined that “these files contained your information,” said the complaint, quoting the letter Bednyak received. It was also determined certain files within the breached systems “were copied and taken,” it said. Bednyak’s information that was taken included his name, Social Security number (SSN), address, credit report, credit report with redacted SSN, date of birth, home address and legal name, the complaint said.
The FRM letter did not include details on the root cause of the breach, the vulnerabilities exploited and remedial measures taken to ensure such a breach doesn’t occur again, the complaint said. The “'disclosure’ amounts to no real disclosure at all, as it fails to inform” with specificity, Bednyak and class members of critical facts surrounding the breach, it said.
FRM did not use reasonable security procedures appropriate to the nature of the sensitive information it maintained for Bednyak, such as encrypting it or deleting it when it was no longer needed, the complaint said. The attacker “accessed and acquired files” FRM shared with a third party containing Bednyak’s unencrypted PII, and the plaintiff believes the PII was sold on the dark web, “as that is the modus operandi of cybercriminals that commit cyber-attacks of this type,” it said.
By obtaining and storing Bednyak’s PII, FRM assumed legal and equitable duties and knew, or should have known, that it was responsible for protecting the PII from disclosure, the complaint said. Companies like FRM are regularly targeted due to the highly sensitive information they hold, it said. The defendant could have prevented the data breach by properly security and encrypting the files and servers containing Bednyak’s and class members’ PII, it said.
As companies become more dependent on computer systems to run their businesses, with remote work and the IOT, “the danger posed by cybercriminals is magnified, thereby highlighting the need for adequate administrative, physical, and technical safeguards,” said the complaint, citing a 2022 Picus Security report.
As a result of FRM’s inadequate data security practices, the risk of identity theft to Bednyak “has materialized and is imminent,” said the complaint. Among his sustained injuries arising from the breach are invasion of privacy, theft and diminished value of his PII, lost time and opportunity costs associated with mitigating the effects of the breach and continued increased risk to his PII, which remains unencrypted and “available for unauthorized third parties to access and abuse,” it said.
Bednyak asserts claims of negligence and negligence per se, breach of third-party beneficiary contract, invasion of privacy, unjust enrichment and violation of the Illinois Consumer Fraud Act, the complaint said. He seeks injunctive relief, including requiring FRM to protect, through encryption, all data collected in accordance with applicable regulations, laws and industry standards; to destroy plaintiff’s and class members’ PII; and to implement and maintain a comprehensive information security program.
Bednyak seeks actual, compensatory, statutory, nominal and punitive damages with interest, plus attorneys’ fees and court costs.