Data Security Breaches Settled and Filed

Data security breaches are becoming too common for comfort and ease as we engage in daily participants in the marketplace.  Companies, governmental institutions, nonprofits, and organizations are quickly learning that cyber incidents could be a day away.  If they claim that their information is secure their claim can be checked and they can be found guilty of deception, giving customers, members, and the like a false sense of security.  Inadequate measures that do not meet reasonable and industry standards may soon be left with no avail and that lackadaisical approach to IT management it has affected recently schools as well as commonly shopped at stores.

One such store, Home Depot, just entered into a settlement agreement out the United States District Court for the Northern District of Georgia that were filed on March 7, 2016.  A couple of days later, a suit was filed in the United States District Court for the Central District of Florida against the University of Central Florida (UCF).  The complaint sites claim for negligence in handling confidential information, breach of implied contract to maintain the data secure, conversion and a claim for bailment.  The latter is underscored by the argument that the plaintiffs claim that UCF did not safeguard the personal or financial information of persons.

The store suit claimed that the store failed to maintain industry standard data security and appropriate notification practices.  In count, I asserted violations of consumer laws regarding all affected plaintiffs and separate statewide consumer law classes. Count II asserted violations of state data breach notification statutes on behalf of separate statewide classes. Count III asserted the occurrence of negligence.  Count IV asserted the occurrence of a breach of implied contract.  Counts V and VI were asserting unjust enrichment and declaratory judgment.  The complaint asserted that the store violated state data breach statutes by not timely informing customers and not providing them accurate notification of the breaches.

 In its settlement, the store agreed to establish a reimburse fund for cardholders and a fund for identity protection for cardholders.  The store will also invest to enhance its data security practices and improve its identity protection services.  The cyber intrusion into Home Depot’s system occurred where a vendor’s credentials were acquired to enter the network and extract customer purchasing card information using a malware.

The UCF lawsuit claims that the school committed negligence by failing to reasonably secure the personally identifiable information (PII), to maintain the PII securely, and to provide notice of the incident in a timely manner.  The suit claims that UCF took over a month to notify the affected persons and that the size of the affected class approximates 63,000.  The UCF potentially affected persons range from employees, students, and alumni and the type of information extracted may have included social security numbers and complete names.   The lawsuit as well asserts that UCF violated Florida’s Deceptive and Unfair Trade Practices Act claiming that UCF’s conduct was unlawful by not seeking to protect the plaintiff’s’ vested interest in the privacy, security, and integrity of their PII.

See, Furbush, et al., v. University of Central Florida, 6:16-cv-00204 (MDFL).

See, Home Depot Data Security Settlement, In re The Home Depot Inc., 1:14-md-02583, (NDGA).

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web."

Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.