The following is a guest blog, published with the author’s permission. Click here to read the original post at Tressler LLP.
Here It Is: The Decision That Tells Data Collectors Exactly What They Should Have Known Before They Had A Breach
A class action entitled Wade v. ABM Indus. Inc., 2018 CH 3855 was initiated last week against ABM Industries (“ABM”) in Illinois based on allegations that ABM recently breached its employee’s Personal Information. In summary, the class action plaintiff claims he was damaged by his employer, ABM, “when it ‘allowed hackers to obtain access to Plaintiff’s and other employees’ Personal Information.” In particular, the class action plaintiff claims his Personal Information “should not have been susceptible to unauthorized access through the use of one of the oldest, and least sophisticated types of cyber-attacks – the ‘phishing email scheme.’”
Allegations Related To The Breach
The class action plaintiff claims his Personal Information, including documents containing medical information, was taken during a breach in August of 2017. Specifically, the class action plaintiff claims ABM was the target of “cyber attackers” a number of times over the years and, therefore, should have taken better steps to protect its employees’ information prior to the “phishing” attack which led to the subject data breach.
The class action plaintiff claims ABM should have been better prepared for this incident since it had “been targeted by cyber-attacks many times in the last decade.”
Allegations Related To ABM’s Notification
The class action plaintiff further alleges that ABM should not have waited more than seven months to notify its employees of the incident on March 5, 2018. In addition to failing to be timely, the class action plaintiff claims the notification letter failed to provide sufficient information concerning the incident to allow its employees to protect themselves.
Causes Of Action
The class action plaintiff claims he has had to take steps to protect against identity theft and fraud and has suffered mental anguish when “he experiences anxiety and anguish when he thinks about what would happen if his identity is stolen as a result of the Data Breach.”
In addition to claims for breach of contract, breach of implied contract and a violation of Illinois’ Consumer Fraud and Deceptive Business Practices Act, the class action plaintiff’s complaint also contains the following causes of action:
- Violation Of N.Y. Gen. Bus. Law §349 et. seq.: In his first cause of action, the class action plaintiff claims ABM engaged in “deceptive, unfair and unlawful trade acts or practices.” Here, the class action plaintiff claims he had to provide his Personal Information as a condition of employment.
- Negligence: In his fourth cause of action, the class action plaintiff claims ABM was negligent when it failed to implement reasonable security measures and cybersecurity protocol and failed to timely notify the class action plaintiff of the incident involving his Personal Information.
The allegations found in the class action plaintiff’s complaint against ABM highlight the difficult position employers may find themselves in when employees claim their personal information has been compromised. Of course, the employer-employee relationship requires the parties continue to work together and exchange information even after an employee claims their information has been compromised. Further, these allegations are part of a growing trend calling into question not only the technical safeguards of a data collector, but also calling into question non-technical safeguards such as security protocols and the reasonableness of a data collector’s notification process. In the end, liability for a breach involving customer data or employee data will be limited if a data collector can show it took as many reasonable steps as possible to protect that data.