Participant sues archivist for data breach

With cybersecurity of growing concern to plan trustees, plan members – and regulators – one plan member sued their plan’s archivist for breaching an implied contract to protect their data, as well as for breaching their plan. a fiduciary duty.

The lawsuit was brought by a certain Eric Giannini “on behalf of participants in an individual pension fund plan who used Transamerica’s services and had access to their sensitive personal information by unauthorized parties due to a network security failure in or about June 2021 ”, alleging“… to exercise due diligence to secure and protect sensitive information of their customers, including names, addresses, social security numbers and amounts of contributions to the retirement funds, collectively referred to as Personally Identifiable Information (“PII” or “Private Information”). ”

The complainant Giannini asserts that he was not informed of the violation until “almost 4 months after his information[i] was first accessed ”and that it“ suffered a number of damages as a result of the data breach incident since Transamerica’s systems were accessed, including the misuse of its information identification for fraudulent purchases ”.

Ongoing issues

The lawsuit says the group members “will continue to experience various types of misuse of their personal information in the years to come, including, but not limited to, unauthorized credit card charges, unauthorized access. authorized to email accounts and other fraudulent uses of their financial information. , “and that” there has been no assurance offered from Transamerica that all personal data or copies of data have been recovered or destroyed. While he acknowledges that Transamerica offered Equifax credit monitoring (worth two years), the lawsuit contends that ‘… does not guarantee the security of the applicant’s information’ and that ‘to mitigate the additional damages, the plaintiff has chosen not to disclose any more information to receive these services related to Transamerica.[ii]

The lawsuit alleges that “some of the risks associated with the loss of personal information have already manifested themselves,” noting that while Giannini received an “encrypted written notification letter from the defendant stating that his information was disclosed and that he should remain vigilant against fraudulent activity on his accounts, with no further explanation as to where this information might have gone, or who might have access to it. Mr. Giannini has already spent hours on the phone trying to determine what negative effects The loss of his personal information could occur. Oh, and he indicates that “in addition to spending time on the phone monitoring his credit accounts, Applicant Giannini has also received an influx of calls and emails from spam ”.

Beyond that, he claims to have received notices of purchase requisitions and service requests on his behalf that he has never requested or ordered, directly affecting his credit and financial record, including a specific reference. to an invoice for cellular data equipment that he has never ordered. The lawsuit claims that the plaintiffs “did not take full advantage of the market and instead received services of less value than described in their agreements with Transamerica” ​​- and that they “were damaged by an amount in excess of that amount. less equal to the difference between the value of the services with data security protection they paid for and the services they received. “

‘Gas station

The prosecution argues that the complainants “would not have obtained[iii] from the defendant if the defendant had told them that he had not properly trained his employees, lacked security controls on his computer network, and did not have appropriate data security practices to protect their private information from theft.

On the issue of credit monitoring, the lawsuit says the plaintiff “could not trust a company that had previously breached their data” and that the credit monitoring offered by Equifax “does not guarantee the privacy or security of data for the claimant, who would have to expose their information once again to obtain monitoring services. Thus, to mitigate the damage, the claimant and class members are now tasked with indefinite monitoring and vigilance of their accounts. ”The lawsuit also expressed concerns that 24 months was not enough and that“ although some damage has already started, the worst could be yet to come. ”The prosecution also warned that“ the surveillance of Identity only alerts a person to the fact that they have been a victim of identity theft in the past (ie.

Ultimately, the lawsuit explains that “Giannini places great importance on his privacy, especially in the administration of his finances, and would not have paid the amount he paid for the administration services of his pension plan if he had known that his information would be retained using inadequate data security. systems.

Although archivists (and third-party administrators in general) were not considered to be trustees, this action argues that, if not under ERISA, they should be considered as such under the law because of what has been called a “special relationship” between the defendant and the plaintiff. and Class Members, “whereby the Respondent has become the custodian of the private information of the Applicant and Class Members, the Respondent has become a Trustee through its engagement and guardianship of private information, to act primarily for the benefit of its clients , including the Applicant and Class Members for safeguarding the personal information of the Applicant and Class Member. “

Will the court be convinced? Time will tell us.

REMARK: In litigation, there are always (at least) two sides to every story. As factual as it may turn out, the initial trial in any action is only one side, and usually designed towards a particular outcome. In our coverage, you will see descriptions of qualified events such as “trial says” or “plaintiffs allege” – and these qualifiers should serve as a reminder of that reality.

[i] In October 2021, plaintiff Giannini received a notification letter from the defendant stating that his personal information had been entered, which included “name, address, social security number and numbers related to pension plan distributions and to tax information ”.
[ii] There is at least one possible clue that the arguments presented are drawn from other similar lawsuits, as at one point it reads: Otherwise understood that Transamerica would protect its the patients’ Private information if this information was provided to Transamerica ”(emphasis added).
[iii] The lawsuit claims that the defendant, the plaintiff and the class members entered into implicit contracts for the provision of financial services, as well as implied contracts for the defendant to implement adequate data security to protect and protect confidentiality. private information of the requester and group members.

About Hector Hedgepeth

Check Also

The Golden Age back to the page – The Oxford Student

The HBO television series Golden age recently announced the launch of a second season, after …