[BreachExchange] Rare data breach claim against a county settled for $1M

Thu Jul 28 18:46:22 EDT 2016

http://legalnewsline.com/stories/510964306-rare-data-breach-claim-against-a-county-settled-for-1m

Hundreds of Mille Lacs County, Minn. residents went to bed on July 1 with a
million reasons to feel a little better.

On that day, a settlement was announced between residents and Mille Lacs
County and Mikki Jo Peterick, a former child support investigator for the
Mille Lacs County Department of Family Services, in a case that involved
Peterick's unauthorized access of the personal information of over 260
county residents in a federal violation of the Driver’s Privacy Protection
Act.

The settlement was the closing chapter in a civil suit that was initiated
by concerned county residents in May 2013. The residents alleged that
Peterick used her position to improperly access personal information and
this was possible, in part, because the county did not have the appropriate
security safeguards in place.

According to court records, because Peterick used computers from the
Minnesota Department of Motor Vehicles, she had access to information that
would include names, driver’s license numbers, addresses, driver’s license
photos and all of the defining personal detail that appears on a driver's
license. One of the questions which appears to be as yet unanswered is what
Peterick was looking for.

"We do not know what Ms. Peterick’s motives were for accessing the
information, and would be speculating," Kathryn M. Rattigan, an attorney at
Robinson+Cole told the Legal Newsline.  "The motive may have been simple
curiosity; however, these types of data may be used for fraudulent activity
as well."

The terms of the settlement include an initial payment of $1 million by
Peterick and Mille Lacs County to the class action members.

>From that, $100,000 will be set aside for class members who might opt out
of the settlement; attorneys fees will be covered; and the Gulvig and
Schmoll families, who initiated the suit, will receive $25,000 each for
their position as representatives in the case.

The remainder of the settlement payment will by distributed to the class
members with each receiving a portion based on the number of times their
records were searched. An audit, conducted by the county, estimates that
Peterick accessed the affected residents records 605 times between January
2009 and November 2012.

While data breaches seem to be consistently in the news, it is rare to see
a settlement of this nature outside of the retail space.

"It is rare to see a county or municipality facing a class action such as
this only because class actions for privacy violations and data breaches
are typically brought against entities with deeper pockets so to speak,"
Rattigan said. "For example, companies like Target and Home Depot faced
class actions for recent data breaches and paid out over $10 million and
$19.5 million in settlements, respectively."

Although the Peterick/Mille Lacs County suit alleged that the county did
not have an adequate security protocol, even if it did, it may not have
been enough.

"The biggest lesson from this case is that employees are still the biggest
threat to an organization’s data." Rattigan said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160728/b1f1a51a/attachment.html>