Zeroed-In Waited 4 Months Before Disclosing Data Breach, Class Action Alleges
By obtaining, collecting and storing plaintiff Thomas Neeley’s personally identifiable information (PII), software company Zeroed-In assumed “equitable and legal duties” to safeguard it and use the information only for business purposes, “and to only make authorized disclosures,” said a class action Tuesday (docket 2:23-cv-01219) in U.S. District Court for Middle Florida in Fort Myers.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Zeroed-In reported an Aug. 7-8 data breach to the Maine Attorney General’s office Nov. 27, “nearly four months after” it occurred, said the complaint. Around that time, plaintiff Neeley, an Illinois resident, received notice that his PII was compromised in the breach.
Zeroed-In promotes its software as capable of directly extracting data from customers' human resources and operational systems, including widely used HR applications produced by ADP, Ceridian, Salesforce and Workday, the complaint said. Neeley and class members are or were employees of companies and entities that used Zeroed-In’s services to collect, manage and analyze their workforce data, it said. They entrusted their employers with PII as a condition of employment, it said.
The data breach occurred as a "direct result of Zeroed-In’s failure to implement and follow basic security procedures to protect employee PII that its customers had allowed Zeroed-In to harvest, analyze, and store," including names, birthdates and Social Security numbers, the complaint said. The company knew that a breach would result in heightened risk of identity theft and fraud against the individuals whose data was compromised, it said.
Once PII is exposed, “there is virtually no way to ensure that the exposed information has been fully recovered or obtained against future misuse,” said the complaint. Neeley and class members are at “substantial increased risk of suffering identity theft and fraud or misuse of their PII” as a result of the breach, it said.
Neeley and class members will incur out-of-pocket costs for protective measures, including identity theft protection, credit monitoring and credit report fees, the complaint said. It cited FTC data saying it takes consumers an average of 200 hours of work over six months to recover from identity theft. Neeley and class members remain susceptible to compromise as long as Zeroed-In “fails to take necessary and appropriate security and training measures to protect the PII in its possession,” it said.
Neeley seeks damages to be determined by the court, an order of restitution, declaratory and injunctive relief, reasonable attorneys’ fees and costs, plus pre- and post-judgment interest, the complaint said. Zeroed-In didn’t comment Wednesday.
In a related item, law firm Schubert Jonckheer announced in a Dec. 11 news release it's investigating the breach as it impacted "the sensitive personal information of 1.9 million employees and customers of Dollar Tree, Inc., which operates over 16,000 retail discount stores.” The firm said Dollar Tree "allegedly shared the private, unencrypted information of its employees and customers" with Zeroed-In.