Samsung Was ‘Reckless and Negligent’ in Enabling Data Breach: Suit
The data breach that Samsung disclosed publicly Sept. 2 exposed consumers’ “personally identifiable information” (PII) to harm because the company “intentionally, willfully, recklessly, or negligently” failed to take “adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions,” alleged a class-action complaint Monday (in docket 1:22-cv-07974) in U.S. District Court in Manhattan.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Consumers who trusted Samsung to securely store their information “suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft,” plus “out-of-pocket expenses, and value of time reasonably incurred to remedy or mitigate the effects of the data breach,” said the complaint. The breach happened because Samsung “maintained the PII in a reckless and negligent manner,” on a network system “in a condition vulnerable to cyberattacks,” it said. Samsung didn’t comment.
Plaintiff Roald Mark, a Houston resident, received an emailed notification of the breach from Samsung the same day it posted notices on its online newsroom because he had shared his PII with Samsung to access services, said the complaint. Mark almost immediately “began receiving communications from identity and privacy protection services,” it said.
Samsung delayed alerting its customers about the breach after discovering their information had been compromised, said the complaint. “As of the date of this filing, it is unclear if Samsung has provided notice to all impacted individuals.” Samsung’s public notifications “confirmed that the information breached included name, contact and demographic information, date of birth, and product registration information,” it said. “Samsung has not provided its customers with the exact dates as to when the breach occurred or how long it lasted.”
Samsung claims financial information and social security numbers were “unaffected” in the breach, said the complaint. “Despite that claim, in its notice letter, Samsung informs the affected individuals that they are entitled to one free credit report annually from each of the three major nationwide credit reporting agencies.”
Samsung’s response to the breach “increased the potential of harm,” said the complaint. Enhancing the danger to consumers, “Samsung was incapable of detecting the scope of the data breach for one to two weeks, at a minimum,” it said. Because Samsung is “silent” about when it detected the breach, consumers “are unaware as to how long it took Samsung to determine their PII had been compromised,” it said.
The suit identifies the potential class as including all persons who bought or used Samsung products in the U.S., and whose PII was compromised due to the breach. Besides negligence, the complaint accuses Samsung of breach of implied contract, invasion of privacy and invasion of confidence. It seeks statutory damages or penalties “to the extent available,” plus an order of restitution.