Neb. Bank's Security Incident Letter Short on Details, Says Class Action

The bank informed customers Nov. 15 in a security incident letter that it discovered “suspicious activity” on its computer systems on May 16, said the complaint. The affected files included customers’ name, date of birth, Social Security number, financial account and payment card information, and government-issued IDs, it said.

The notice letter didn’t include an explanation of why the bank failed to notify named plaintiff Tina Trujillo LongWolf and class members of the data breach until about five months after it occurred, said the complaint. It also didn’t give details about the cause of the breach, the vulnerabilities exploited and the remedial measures taken to ensure such a breach doesn’t happen again, it said. The disclosure “amounts to no real disclosure at all,” because it omits “critical facts” that affect LongWolf’s ability to mitigate the harms resulting from the breach, it said.

LongWolf, a resident of Ogallala, Nebraska, would not have entrusted the bank with her PII if she had known it would not adequately protect it, the complaint said. Adams Bank had a duty under the FTC and Gramm-Leach-Bliley acts to keep current and former customers’ PII confidential and to protect it from unauthorized access and disclosure, it said.

Adams Bank didn’t use security procedures appropriate to the nature of the sensitive information it was maintaining for LongWolf and class members, such as encrypting their PII or deleting it when it was no longer needed, the complaint said. The hacker accessed and acquired files the bank shared with a third party containing customers' unencrypted PII, it said. LongWolf believes her PII was subsequently sold on the dark web, following similar patterns of other data breaches, it said.

The defendant should have known the risk of a data breach because financial institutions are particularly susceptible to cyberattacks, the complaint said. Data thieves frequently target banks because of the highly sensitive information they hold. In Q3 alone, 7,333 organizations experienced data breaches, resulting in the compromise of 66.7 million individuals’ PII, it said, citing a report from Identity Theft Resource Center.

Adams Bank told customers in the notice letter it would provide 12 months of credit and theft monitoring services as a result of the breach, the complaint said. That length of time is “wholly inadequate” to compensate for the multiple years of ongoing identity theft and financial fraud that data breach victims commonly experience, it said. When the one-year service expires, LongWolf and class members will have to pay for "necessary" identity monitoring services themselves, it said.

LongWolf suffered actual injury from having her PII compromised, including invasion of privacy, theft of her PII and lost time and opportunity costs associated with attempting to mitigate the consequences of the breach, the complaint said. She has experienced an increase in spam calls and emails and suffered fear, anxiety and stress associated with the breach, it said.

LongWolf’s claims include negligence, breach of implied contract and fiduciary duty, and unjust enrichment, the complaint said. She requests for herself and the class equitable relief enjoining Adams Bank from engaging in the wrongful conduct described and requiring it to encrypt all data collected through the course of business, according to applicable regulations and standards; to delete, destroy and purge plaintiff and class members’ PII; and to implement and maintain a comprehensive information security program, it said.

The plaintiff seeks awards of actual, compensatory, statutory, nominal and punitive damages; attorneys’ fees and legal costs; and pre- and post-judgment interest, the complaint said. Adams Bank didn’t comment Tuesday.