Did Ransomware Attack Fallout Trigger California Data Privacy Law Violation?
A California resident has filed a class action lawsuit claiming that a Rhode Island legal services provider hit by a ransomware attack has violated the state’s data privacy law by exposing the personal data of 50,000 of its citizens.
Benjamin Karter filed the complaint in the Superior Court for the State of California for the County of Orange on May 26, 2020, asserting that Epiq Systems Inc. failed to comply with California’s Consumer Privacy Act (CCPA). The lawsuit has been moved to U.S. District Court for the Central District of California.
Epic provides legal services to law firms, corporations and government agencies through its subsidiaries.
CCPA Violations: Potential Penalties
The CCPA, which resembles the European Union’s General Data Protection Regulation, gives the state’s 40 million residents the right to require a business to disclose the types of personal information it collects on the consumer, where that information is collected and whether it’s being sold or shared. Violators could be docked up to $7,500 for each infraction. The law mandates that companies buying or selling personal information for over 50,000 households or customers must meet CCPA terms. It is the first and the only such data privacy law in the country and extends to businesses headquartered outside the state but conducting business within its borders.
Epiq Class Action & Claims Solutions, Inc. a subsidiary of Epiq Systems that provides class action administration services, is the official entity named in Carter’s complaint. Epiq Class Action allegedly collected information from more than 50,000 California residents, according to the filing.
Epiq’s networks were victimized by ransomware hackers in late February, 2020 resulting in the exfiltration of both “nonencrypted and nonredacted personal information,” according to the filing. Karter, whose social security number along with thousands of others was stored on Epiq’s servers, claims that the malware attack succeeded because Epiq had not updated Microsoft’s Windows operating system to a later version less vulnerable to hacking. Had Epiq upgraded its systems software the attack may not have succeeded, Carter said.
“Epiq’s negligent and careless acts and omissions and the failure to protect consumers’ data” led to the theft of information, Karter claims in the filing. “Epiq has failed to satisfy its duty under the California Consumer Privacy Act,” the complaint reads. Karter believes that “this malware and ransomware exfiltrated sensitive data on Epiq’s network(s) and the data is now in the hands of the perpetrators [of the attack].” Owing to the data security incidents, Karter and other class members “face a lifetime risk of identity theft,” the plaintiff claims.
What the Plaintiff Wants
Carter is asking for statutory damages of not less than $100 and not greater than $750 per consumer per incident. Were the minimum statutory damages to be applied, the “amount of controversy” would exceed $5 million, filings said. Karter also seeks actual damages, including punitive damages.
Epiq has denied all of the allegations. “We can state with confidence, based upon our own investigation as well as a complete forensic investigation and verification by our third party consultant, Mandiant, that all allegations, including the allegation of any data exfiltration and including that of Mr. Karter’s, during the event in February 2020 are baseless and without merit,” said Catherine Ostheimer, vice president of marketing at Epiq in a statement.