There was a recent settlement in a data breach lawsuit out of Washington State that grabbed our attention, and it wasn't just the $5.6 Million settlement amount. The defendant was a collection agency, not a car dealer or finance company, but the circumstances are exactly what we worry about with our own clients. Make no mistake, this could happen to you if you don't take our concerns about information security and the Safeguards Rule seriously.
What Happened?
Nothing fancy, which is what is scary. This collection agency suffered a penetration (unauthorized access) of its servers in April of 2021. About a month later, there was a ransomware attack that disrupted its network. Once this occurred, the company disconnected its system, rebuilt its servers and hired a third party firm to investigate. Unfortunately, it was discovered that sensitive information, including social security numbers, was accessible to third parties. The company did the right thing and notified individuals that it believed to be impacted, and there were a lot of them, since this was a big agency.
The Lawyers Descend
Never to miss out on an opportunity to make a buck, the lawyers filed class action lawsuits, with allegations of negligence, inadequate security measures, failure to monitor system vulnerabilities, and failure to follow industry standards and the FTC's guidelines in effect at the time. That last part is really important, because this lawsuit was before the FTC Safeguards Rule went into effect. For those that live under a rock and aren't familiar with this Monolith, please go to our website and read our numerous articles and tips on this Rule. The obligations are strenuous and serious, and the standards you are being held to have increased substantially in the intervening years.
For over a year, we've been banging the drum about how lawyers will use the Safeguards Rule in private litigation and allege that a failure to comply with the Rule is gross negligence, conscious indifference, and all sorts of other bad things, which support a claim for punitive damages. These warnings aren't a scare tactic, this case proves our fears are very real. If you need further proof that hits closer to home, look up the Morelli v. Jim Koons Auto Companies case, which also involved a data breach.
The Settlement
While the defendant denied all liability, ultimately it chose to settle the case for this significant amount. Impacted individuals can recover documented losses related to identity theft and fraud related charges, credit monitoring costs, and other expenses. They can also recover for their time spent on dealing with these issues.
Our Call to Action
Don't ignore the lessons of this case. Don't think you are adequately protected because you have good IT resources. After an early flurry of activity about two years ago, we now have very few meaningful inquiries from clients about their obligations under the Safeguards Rule and how to Protect their Business. This deeply concerns us and it needs to change. We'll put our money where our mouth is. We'll give the first 20 folks that ask in the next week a complimentary 30 Minute consultation on the state of your Safeguards Preparation. Please reach out to info@IgniteCP.com
Comments