LoanCare's PII 'Catastrophe' Virtually 'Froze' All Company Activities: Class Action
Fidelity National Financial (FNF) and its LoanCare subsidiary failed to comply with industry standards to protect its customers’ “highly valuable, protected, personally identifiable information” (PII) in a November data breach that the company referred to as a “catastrophe,” alleged a class action Thursday (docket 3:24-cv-00115) in U.S. District Court for Middle Florida in Jacksonville.
Andre Gharibian, a California resident, received a notification from LoanCare informing him his PII that was in the company’s possession “was compromised” in the data breach, the complaint said. As a result, Gharibian has spent about 25 hours of his “valuable time and effort,” and plans to spend more, monitoring financial accounts, scanning the dark web for his PII and researching the data breach “to prevent any misuses of his PII,” the complaint said.
FNF announced it had experienced a “cybersecurity incident” on Nov. 19, and news articles reported that the mortgage servicing company shut down its network, systems and even email in an attempt to “scrub their servers in Jacksonville and prevent any issues,” said the complaint, citing a Nov. 22 TechCrunch article.
The shutdown “virtually froze all the company and its subsidiaries’ activities, leaving people buying and selling homes, or paying mortgages, confused and uncertain of what was going to happen to their properties and money,” said a subsequent TechCrunch report. LoanCare called the incident a “catastrophe” in an automated message played on its customer support number, TechCrunch reported. Soon after the incident, ransomware gang BlackCat claimed responsibility for the cyberattack on FNF in a message posted on its dark web site, it said.
LoanCare filed a notice of data breach with the attorney general of Maine, citing the Nov. 19 cyberattack but giving only “minimal information,” said the complaint. The company said it began an investigation “with the assistance of third-party experts, notified certain law enforcement and governmental authorities, and began taking measures to assess and contain the incident” that “has been contained.” Some 1.3 million individuals were affected, the complaint said.
LoanCare stores on its network customers’ contact, demographic, identity and financial account information, said the complaint. Had LoanCare maintained its IT network and “worked diligently to correct vulnerabilities, remedied the deficiencies in their information storage and security systems, followed industry guidelines, and adopted security measures recommended by experts in the field,” it could have prevented intrusion into the network and the theft of Gharibian’s and class members’ PII, the complaint said.
A financial institution has an “affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information,” said the complaint, citing the Gramm-Leach-Bliley Act (GLB Act).
The complaint noted the “substantial time lag” between when a breach occurs vs. when it is discovered, plus the gap between when PII is stolen and then used. It cited a 2019 GAO report that said stolen data may be held for a year or more before being used to commit identity theft. As a result, Gharibian and class members will need to maintain heightened security measures for years “and possibly their entire lives” as a result of the defendants’ conduct, it said.
Gharibian asserts claims of negligence and negligence per se and a declaratory judgment that defendants owe plaintiffs a legal duty to secure their PII under the FTC and GLB acts, the complaint said. He seeks damages, an order of restitution, declaratory and injunctive relief; attorneys’ fees and costs, plus pre- and post-judgment interest.