Benefits Industry Software Provider Failed to Protect Customers' PII, Says Class Action
Trust Benefit Technologies (TBT), a software provider for the benefits administrator industry, failed to protect customers’ personally identifiable information (PII) in a May 16-May 22 data breach when cybercriminals gained access to the company’s IT network, alleged a class action Thursday (docket 2:23-cv-09233) in U.S. District Court for Central California in Los Angeles. The company disclosed the breach to customers Oct. 19.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Plaintiff Raymond Lopez of Lakewood, Colorado, provided his PII to TBT as required by his Southern California, Arizona, Colorado and Southern Nevada Glaziers, Architectural Metal and Glassworkers pension plan. Pacific Southwest Administrators, the third-party administrator for the plan, used TBT to prepare its benefit administration reports, and TBT stored Lopez’s PII, the complaint said.
Not until “after months it claims to have discovered” the data breach did TBT begin notifying customers whose PII was potentially compromised in the breach, said the complaint. Hackers gained access to Lopez’s PII “with the intent of engaging in the misuse of the PII, including marketing and selling” the data, the complaint said. By obtaining, collecting and storing Lopez’s and class members’ PII, TBT “assumed legal and equitable duties and knew or should have known that they were thereafter responsible for protecting” it from unauthorized disclosure, it said.
TBT President Bruce Biller notified customers in an Oct. 19 letter sent to the California attorney general's office that it identified “suspicious activity” within its computer network May 22 and “immediately took steps to secure our environment.” After a “thorough investigation recently concluded, and on or about June 26,” the company determined that customers’ names, Social Security numbers and dates of birth were “potentially accessed by an unknown, unauthorized actor” as a result of the breach.
Lopez was injured in the form of lost time dealing with the consequences of the breach, including verifying its legitimacy and impact, exploring credit monitoring and identity theft insurance options, monitoring his accounts with “heightened scrutiny” and seeking legal counsel, said the complaint. He was also injured by the “material risk to future harm” resulting from the breach. Lopez has increased anxiety for his loss of privacy and anxiety over the impact of cybercriminals accessing, using and selling his PII, it said. The complaint cited a 2019 report from VPNOoverview.com saying cybercriminals can buy access to “entire company data breaches from $999 to $4,995.”
TBT offered victims access to a single-bureau credit monitoring, credit report and credit score services for 12 months from the date of enrollment, said Biller’s letter. The company also offered “proactive fraud assistance” via Cyberscout, through TransUnion company Identity Force.
Lopez claims negligence, breach of implied contract and implied covenant of good faith and fair dealing, and unjust enrichment. He seeks an order requiring TBT to cease unlawful activities; equitable relief enjoining it from the misuse or disclosure of Lopez’s and class members’ PII; requiring it to maintain a comprehensive information security program; and requiring it to “meaningfully educate” class members about the threats they face as a result of the breach.
Lopez seeks awards of actual, nominal and consequential damages, prejudgment interest and attorneys’ fees and legal costs. Biller’s letter told customers that “at this time, we have received no indication of any identity theft or fraud."