Comcast, Citrix Failed to Provide Basic Details About Data Breach: Class Action
Notices from Citrix and Comcast to customers about an Oct. 10 data breach “failed to provide basic details,” said a new class action Wednesday (docket 0:24-cv-60008) in U.S. District Court for Southern Florida in Fort Lauderdale.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The “essentially identical” notices from the companies about Citrix’s data breach don’t disclose how unauthorized parties accessed class members’ private information, which Citrix product contained the vulnerability and whether the issue was “a system-wide breach or limited to a certain subset of customers,” said the complaint. The communication also failed to state how many people the breach affected, though a Comcast filing with the Maine Attorney General’s office pegged the figure at 35.8 million, it said.
As a result of the breach, plaintiff Jessica Carey of Marblehead, Massachusetts, and class members suffered “ascertainable losses,” including the loss of potential value of their private information, loss of the benefit of their contractual bargain with defendants, out-of-pocket expenses and the value of their time incurred to remedy or mitigate the effects of the data breach, the complaint said. Defendants’ “knowingly collected” customers’ private information in confidence and had a duty to secure, maintain and protect the information against unauthorized access and disclosure through “reasonable and adequate security measures,” it said.
An Xfinity wireless internet customer since 2020, Carey was required to give Comcast her personal information as a condition of receiving internet service, said the complaint. She learned about the breach in December when she logged into her account and saw a Comcast alert about it. The alert urged that she change her password and authorize two-factor authentication, the class action said.
Since then, Carey has spent time, at Comcast’s direction, working to mitigate the impact of the breach, including monitoring her bank and other online accounts, changing passwords, examining her credit score and researching the impact of the breach. Comcast also told Carey to “remain vigilant against" future "incidents of fraud and identity theft.”
Carey has suffered emotional distress as a result of the release of her private information, which “she expected Defendants to protect from disclosure,” the complaint said. She has experienced “anxiety, concern, and unease about unauthorized parties viewing, and potentially using” her private information, it added. Defendants “were well aware” that the private information they collect from customers “is highly sensitive and of significant value to those who would use it for wrongful purposes,” it said.
The plaintiff asserts claims of negligence and negligence per se; breach of implied and third-party beneficiary contract; and unjust enrichment, said the complaint. She seeks injunctive relief to prevent defendants from engaging in the unlawful acts described; awards of compensatory, consequential, and general damages; statutory damages, trebled, and punitive or exemplary damages; and attorneys’ fees, costs and pre- and post-judgment interest, it said.