Negligence Cases Stack Up as Comcast Customers Learn of Data Breach

Plaintiff Alexander Nunn of Donelson,Tennessee, received an email from Comcast Jan. 2 about the breach, said his class action Friday (docket 0:24-cv-60029) in U.S. District Court for Southern Florida in Fort Lauderdale. Nunn’s complaint noted Comcast informed some customers of the breach as early as Dec. 18.

The defendants failed to adequately protect Dunn's and class members' personally identifiable information (PII) "and failed to even encrypt or redact this highly sensitive information," said the complaint. Dunn's unencrypted, unredacted PII was compromised due to the defendants’ "negligent and/or careless acts and omissions and their utter failure to protect Comcast’s customers’ sensitive data," it said.

Comcast's website said the ISP follows "industry-standard practices to secure the information we collect to prevent the unauthorized access, use, or disclosure of any personal information we collect and maintain," according to Nunn's complaint. He and class members, including current and former Xfinity customers, "relied on these promises and on these sophisticated business entities to keep their sensitive PII confidential and securely maintained, to use this information for business purposes only, and to make only authorized disclosures of this information," it said. Customers demand adequate security to safeguard their PII, "especially when their Social Security numbers and other sensitive PII are involved," it said.

Plaintiff Patricia Andros learned of the data breach “from the news,” said her Friday class action (docket 2:24-cv-00068) in U.S. District Court for Eastern Pennsylvania in Philadelphia. When she then logged in to her Xfinity account, the website prompted her to change her password. Similarly, co-plaintiff Ronald Simmont learned of the breach when Xfinity required him to log into his account and change his password. When he logged in to change the password as instructed, he “learned of the breach.” Both plaintiffs are Pennsylvania residents.

Comcast and Citrix sent a breach notification letter to affected customers Dec. 18 but didn’t state why they were unable to prevent the breach, which security feature failed or why they waited more than two months after discovering the breach to notify affected customers, the Andros complaint said.

Andros and Simmont have and will have to continue to spend time trying to mitigate the consequences of the data breach and have suffered lost time, annoyance and inconvenience as a result of the breach, plus increased concerns for the loss of their privacy, said the complaint. Future identity theft monitoring is “reasonable and necessary” and will cause the plaintiffs to incur future costs and expenses, it said.

Citrix and Comcast could have prevented the breach by properly securing and encrypting plaintiffs’ private information, and destroyed the data they didn’t need to maintain, the complaint said. Despite numerous public announcements of data security compromises, the defendants “failed to take appropriate steps” to protect plaintiffs’ information, the complaint said.

Andros and Simmont assert claims of negligence, breach of implied contract and third-party beneficiary contract, and unjust enrichment. They seek compensatory, punitive, statutory and treble damages; pre- and post-judgment interest; and attorneys’ fees and costs.

Nunn claims negligence and negligence per se, breach of implied contract and third-party beneficiary contract, unjust enrichment and violation of the Florida Deceptive and Unfair Trade Practices Act. He seeks actual, nominal and consequential damages, plus orders enjoining defendants from engaging in the wrongful conduct described, to encrypt and delete data in accordance with applicable regulations and to implement a threat management program. He also seeks pre- and post-judgment interest, plus attorneys’ fees and costs. Comcast didn't comment Monday. A spokesperson for Citrix said the company doesn't comment on pending litigation.