[BreachExchange] They're not fraud victims yet, but plaintiffs quickly sue Pompano Beach company over data breach

[Destry Winant]

http://www.sun-sentinel.com/business/fl-bz-complyright-data-breach-suit-20180803-story.html

It didn’t take long for the lawyers to show up.

A Pompano Beach-based business services company, ComplyRight, was sued
in two separate federal court actions just days after notifying
clients that their personal information was exposed in a data breach.

The company sent letters to customers on July 13 stating that names,
addresses, telephone numbers, email addresses and Social Security
numbers were “accessed and/or viewed” in what it called “unauthorized
access” of its website between April 20 and May 22. It said it was
unaware of any identity fraud resulting from the breach and told
letter recipients they were entitled to 12 months of free credit
monitoring.

A week after sending the letter, five Chicago attorneys sued the
company in the Northern District of Illinois on behalf of Susan
Winstead, identified in the suit only as a resident of Illinois.
Winstead received a letter from ComplyRight on July 17, three days
before the suit was filed on July 20, the suit said.

The suit cites a nearly two-month lag between when ComplyRight said it
discovered the data breach and when it sent the notification letters,
saying the company kept the incident secret during its forensic
investigation and gave the data thieves three months since the breach
began “to perpetuate fraud … with no victim aware of the threat.”

The number of victims is unknown, the suit said, but “Plaintiff has
reason to believe that the number of impacted individuals is very
large.”

On July 26, Fort Lauderdale attorney Seth M. Lehrman of the firm
Edwards Pottinger LLC filed a suit in U.S. District Court in Fort
Lauderdale on behalf of plaintiffs Robert Bohannon of Granger, Ind.,
and Holly Buckingham of Woodbine, Md.

The suit did not claim that identity thieves had impersonated Bohannon
or Buckingham, or that they had suffered financial damages beyond the
fact that “Buckingham has spent at least two business days expending
effort to ensure her Personal Information is not used by the hackers
and that her identity is not stolen.”

Bohannon and Buckingham were “injured,” the suit stated, because
ComplyRight “failed to adequately safeguard” their personal
information.

Likewise, Winstead and other members of the class suffered “injuries
and damages” because they are now at increased risk of identity theft
and fraud and because of expenses and the value of their time spent
mitigating the increased risk of fraud.

None of the attorneys responded to emails from the Sun Sentinel
seeking comment about the suit. ComplyRight also did not respond to
requests to discuss this story, or the initial report about its data
breach notifications.

ComplyRight, identified in the suits as a Minnesota company with its
principal place of business in Pompano Beach, provides human resources
services for small businesses and told victims their information would
have been in the company’s online database because it was entered on
tax forms by employers or payers, including Forms 1099 and W-2.

Both suits seek certification as class actions, damages to the
plaintiffs and other class members, and plaintiffs’ attorneys fees,
costs and expenses.

These days, it’s common after data breaches make the news for
plaintiffs’ attorneys to engage in “a race to the courthouse” to file
class-action suits even before plaintiffs are victimized by identify
theft in hopes that defendants will opt to settle rather than
litigate, said Nathan Taylor, a cybersecurity attorney with Morrison
Foerster LLP in Washington, D.C.

“Plaintiffs’ attorneys want to get there before other plaintiffs’
attorneys,” Taylor said.

He said more courts are denying motions by defendants to dismiss
class-action data breach cases on grounds that plaintiffs lack
standing because they haven’t yet suffered damages from identity
fraud.

Courts are increasingly agreeing with plaintiffs that time spent by
data breach victims enrolling in credit monitoring services, calling
credit cards companies, and dealing with paperwork has a monetary
value, according to an April blog entry by Morrison Foerster attorneys
Tiffany Cheung and Morgan Donoian MacBride.

When motions to dismiss are denied, defendants will choose to settle
rather than proceed to trial in nearly all cases, Taylor said.

Notable settlements in recent years include $115 million agreed to by
health insurer Anthem Inc. last year after a breach compromised almost
80 million customers, and $19.5 million that Home Depot agreed to pay
to compensate customers affected by a 2014 breach. Last year, Home
Depot agreed to pay $27 million to affected credit card companies.

Taylor said he is unaware of any data breach lawsuit that resulted in
a trial over the question of defendants failing to adequately secure
their customers’ information.

“Companies don’t want to go to trial against their customers,” he said.