Calif. Contractor's 'Unencrypted' Data Left Network Exposed for Attack: Class Action
Silicon Valley Mechanical (SVM) stored the personally identifiable information (PII) of plaintiff Patrick Brenan and class members “unencrypted, in an Internet-accessible environment” on its network, allowing cybercriminals to access it using an "extraction tool," alleged a negligence class action Wednesday (docket 5:24-cv-02147) in U.S. District Court for Northern California in San Jose.
A targeted late-May ransomware attack on the mechanical contractor’s network resulted in unauthorized access to Brenan and class members’ PII, causing them “ascertainable losses” in the form of the benefit of their bargain, out-of-pocket expenses, and the value of their time incurred to deal with the effects of the attack, said the complaint. The company told victims the stolen PII included full names and Social Security numbers.
Brenan, a Nevada resident, has experienced fraudulent activity on his checking account as a result of the breach, the complaint said. The former SVM employee was required to provide his name and Social Security number as a condition of employment, it said. The breach caused Brenan emotional distress and the risk of imminent harm due to the compromise of his PII, it said.
SVM began notifying victims of the data breach July 5, telling them of “suspicious activity” it noticed on its network on or about May 31, said the complaint. Its investigation with third-party forensic experts to assess the security of its systems pinned the May 30-June 6 time frame as the period during which the breach occurred. A subsequent “comprehensive review” of potentially affected files determined it was “plausible and likely” that Brenan’s PII was stolen during that period, it said.
The two years of complimentary fraud and identity theft insurance SVM offered victims of the breach “does nothing to compensate them for damages incurred and time spent dealing with” the incident, said the complaint. As a result, the plaintiff has and will continue to spend “considerable time and money on an ongoing basis” to try to mitigate and address harms the breach caused, including changing passwords, canceling credit and debit cards, and monitoring accounts for fraudulent activity, the complaint said.
SVM’s data security obligations were “particularly important” in light of the “substantial increase in cyberattacks” and data breaches in industries holding significant amounts of PII, said the complaint. As a direct and proximate result of SVM’s conduct, Brenan and class members have been placed at a present, imminent, immediate and continuing increased risk of harm from fraud and identity theft, it said.
The plaintiff’s claims include negligence, breach of implied contract and fiduciary duty, invasion of privacy, and violations of California’s Unfair Competition Law, Consumer Privacy Act and Consumer Records Act, the complaint said. He seeks orders requiring SVM to encrypt all data collected in the course of business, to delete and destroy his and class members’ PII and to provide out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft and tax fraud, the complaint said. He also seeks actual, nominal, statutory, consequential, and punitive damages, attorneys’ fees and costs, plus pre- and post-judgment interest.