Plaintiff's PII Compromised in Data Breach at Company He Didn't Know: Class Action
A data breach at Multi-Fineline Electronix (MFlex) in Irvine, California, was a direct result of the printed circuit manufacturer’s failure to implement adequate cybersecurity procedures to protect employees’ and beneficiaries’ personally identifiable information (PII) from a “foreseeable and preventable” cyberattack, alleged a class action Tuesday (docket 8:24-cv-00400) in U.S. District Court for Central California in Santa Ana.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Joseph Biondi, a resident of Toms River, New Jersey,wasn’t familiar with Multi-Fineline before receiving a notice in the mail dated Feb. 8, saying his PII was “improperly accessed and obtained by unauthorized third parties,” in a data breach that occurred Dec. 1, 2022-Jan. 2, 2023, the complaint said. Compromised information included his name, birthdate, driver’s license number or state identification number, financial account number and access information, health insurance identification number, information related to medical treatment or diagnosis, passport number, payment card number and access information, Social Security number, and/or username and password, it said.
Since the breach, Biondi has suffered “numerous, substantial injuries,” including invasion of privacy, theft and diminished value of his PII, lost time and opportunity costs associated with trying to mitigate consequences of the data breach and continued risk to his PII, which remains backed up in MFlex's possession, the complaint said. In addition, he suffered actual injury in the form of his PII being disseminated on the dark web, according to Experian, the complaint said. Biondi also suffers fear, anxiety and stress, compounded by MFlex's failure to inform him of key details about the breach, it said.
MFlex offered data breach victims 12 months of identity monitoring service, which the complaint called “wholly inadequate” compensation. Biondi and class members face “multiple years of ongoing identity theft” and financial fraud, and the offering “entirely fails to provide sufficient compensation” for the authorized release and disclosure of victims’ PII, it said.
The offer of credit and identity monitoring establishes that Biondi’s and class members’ PII “was in fact affected, accessed, compromised and exfiltrated” from MFlex's computer systems, the complaint said. Upon information and belief, the defendant obtained Biondi’s PII in the course of its regular business operations, it said. At the time of the breach, MFlex retained Biondi’s PII, the complaint said.
Biondi asserts claims of negligence and unjust enrichment. He seeks orders requiring the defendant to delete and destroy his and class members’ PII and to implement a comprehensive information security program. He also seeks awards of actual, compensatory, statutory, punitive and nominal damages; attorneys’ fees and costs; and pre- and post-judgment interest.